Despite continued spending on security measures for controlling and monitoring access to sensitive data, more organizations than ever feel vulnerable to breaches caused by insiders with legitimate access to enterprise systems.
In a survey of 508 security professionals conducted for Haystax Technology by LinkedIn’s Information Security Community and Crowd Research Partners, 74% of the respondents say their organizations are vulnerable to insider threats. That's a 7% increase from last year's survey by the groups conducting the research.
Fifty-six percent say insider threat incidents have become more frequent in their organization in the last 12 months.
The biggest concern appeared to be centered on accidental data breaches resulting from careless data handling by insiders, with 70% citing this as their biggest insider-threat fear. Almost the same proportion - 68% - fear breaches caused by insider negligence, such as willfully ignoring corporate policies. Concerns about malicious insiders ranked third, at 61%.
"Controls companies have in place for mitigating insider threats have generally not worked, and the facts support this," says Thomas Read, vice president of security analytics at Haystax.
The main reason: they don't address the root causes of insider threats. Typically, behavioral issues such as a lack of empathy or paranoia - combined with personal or organizational stressors such as a poor performance review or financial issues - are major drivers of malcious insider behavior, Read says.
"Controls on endpoints, which is generally where companies focus their insider threat efforts, only control what happens after the person is already intending to attack. An insider with knowledge of those controls will easily find a way around them," he says.
Privileged IT users such as those with access to administrative accounts top the list of people organizations are most concerned about from an insider threat perspective. Six out of ten respondents say these users pose the biggest security risk to their organization, while 57% express similar concerns over contractors, consultants, and temporary workers. Regular employees and privileged business users were the next-most worrisome from a security risk standpoint.
Customer data — because of its perceived value — is the asset that a majority of organizations think is most vulnerable to insider attacks. Financial data and intellectual property are perceived as the next biggest data targets followed by employee, sales and marketing, and healthcare data.
Nearly 60% of the respondents in the Haystax survey point to inadequate data protection strategies as contributing to an increase in insider threats. The increasing number of devices with access to sensitive data, and the increasing use of mobile devices to store and access sensitive data, are also considered major factors to the increase in insider threats.
Organizations trying to get a handle on the problem often have to overcome perceptions about being overbearing and Big Brotherly, Read says. "Communicating to your staff that you will be monitoring them can create trust challenges," he says.
In fact, insider threat program rollouts that are not properly implemented can backfire and actually increase the insider threat problem, he says. "These roll-outs could also negatively impact whistleblower programs and other efforts to make the company more transparent," he says.
The companies that are most successful at addressing the insider threat problem are the ones that have built a program with full engagement and support from both leadership and employees, according to Read. They typically have processes for ensuring that background vetting happens not only before someone is hired, but is conducted on an ongoing basis, Read says. "The selling point, quite simply, is that the background vetting doesn't stop just because you’ve been hired."
Paul Brager, cybersecurity architect at Booz Allen Hamilton, says the psychological and sociological issues behind the malicious insider threat can be daunting.
"Some industries rely on behavioral heuristics to determine which employees are more likely than not to attempt to steal information," he says. However, these models are often highly subjective and based on criteria set by the institution with little science to back it up, says Brager, who will discuss insider threats next month at Interop ITX 2017.
Organizations focused on the insider threat typically leverage technology such as rights management and data leak prevention tools, which allow them to supplement their view of users who have access to sensitive data. Many also implement measures to protect against things like "access creep" to minimize exposure, Brager says.
[Booz Allen's Paul Brager will headline a session on rooting out the insider threat on May 19 at Interop ITX, which runs from May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register , click on the live links.]
"The last component of the approach, which is often the most difficult, is the process management effort, where organizations better manage how information is managed and stored," he says. Often this involves data classification and prioritization.
"It is the combination and balancing of these three areas that generally fuel a successful insider threat program, and organizations must invest in all three to be successful," he notes.