Insider Threats Increase, But Damage Is Minimal

According to conventional IT wisdom, an insider is the source of the most potential damage in a security breach. If that's true, however, insiders so far aren't living up to their potential, according to a new report.

The Computer Security Institute's annual Computer Crime and Security Survey, which is scheduled for release later this week, reports that insider attacks have now surpassed viruses as the most common cause of security incidents in the enterprise. Nearly 60 percent of respondents have experienced insider-related events in the past 12 months, while only 52 percent of companies reported a virus incident. (See Annual CSI Study: Cost of Cybercrime Is Skyrocketing, CSI/FBI: Violations, Losses Down, and 10th Annual CSI/FBI Survey .)

Yet while the average annual cybercrime losses per company more than doubled in the past year, almost two thirds (63 percent) of respondents said that losses due to insider-related events accounted for 20 percent or less of those losses.

Insider abuse of Internet access was the most frequently-cited incident among the CSI survey respondents, at 59 percent. Fifty percent cited the loss or theft of laptop or mobile devices, while 25 percent cited misuse of instant messaging services. Another 25 percent said they had experienced "unauthorized access to information" in the past 12 months, and 17 percent said they have suffered loss or theft of customer/employee data. Seventeen percent of respondents said they have detected misuse of their wireless networks.

While laptop theft is not necessarily part of the "insider attack" category, it does seem clear from the data that most security incidents companies experienced in the past year were instigated by the action of an employee -- an attack or a mistake -- as opposed to attacks from outside the company.

Yet only 37 percent of respondents said that losses due to insiders exceeded 20 percent of their total cybercrime losses. Sixteen percent said that insider attacks accounted for more than 60 percent of their cybercrime losses, and just 5 percent said that insiders accounted for more than 80 percent of their losses (down from 7 percent in 2006).

"A great deal is made of the insider threat, particularly by vendors selling solutions to stop insider security infractions," the report observes. "It's certainly true that some insiders are particularly well-placed to do enormous damage to an organization, but this survey's respondents seem to indicate that talk of the prevalence of insider criminals may be overblown."

However, detailed information about security incidents and data losses remains elusive, the report concedes. Some 30 percent of respondents stated that, despite new laws concerning breach disclosure, they experienced at least one incident that was never reported outside the organization. Only 29 percent reported incidents to law enforcement agencies.

Twenty-six percent said they did not report their incidents to law enforcement because of fears of negative publicity. Twenty-two percent said they believed law enforcement would be unable to help them, and 14 percent said they feared their competitors would use the breach reports to their advantage.

"Perhaps the most interesting finding among these new answers is that only about a third of respondents said their security policies didn't change in the wake of incidents," the report says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.