Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

9/13/2016
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insider Incidents Cost Companies $4.3 Million Per Year On Average

Breaches caused by external attackers posing as insiders are the most financially damaging, Ponemon Institute survey finds.

Careless users and contractors continue to be the biggest source of insider incidents at most organizations. But external attackers posing as legitimate users via stolen credentials can cause far more financial damage, a new survey by the Ponemon Institute shows.

Ponemon polled 280 IT and security practitioners from 54 medium- to large organizations between April and July this year. The findings show that nearly four years after Edward Snowden’s famous data leaks, the insider threat remains as intractable as problem as ever for many organizations.

The survey, sponsored by security vendor Dtex Systems, reports a total of 874 insider incidents across respondent organizations over the past 12 months. A total of 568 of those incidents were caused by employee or contractor negligence, 191 were tied to malicious employees and criminals, while 85 were caused by outside imposters with stolen credentials.

Cumulatively, security incidents stemming from negligent and careless employees or contractors cost the most money. Organizations spent about $2.3 million annually dealing with the fallout from such incidents, at an average of about $207,000 per incident, the study found.

In contrast, the annualized cost from all imposter-related breaches was relatively lower, at $776,000. But the cost per incident involving imposters was $493,000 — much higher per incident than breaches caused by negligence and carelessness and those caused by malicious insiders.

On average, the organizations in Ponemon’s survey reported spending $4.3 million in total on insider-related incidents over the past 12 months. The costs tended to vary by organization size. Large organizations with more than 75,000 employees spent more than $7 million annually, while smaller organizations with between 1,000 and 5,000 employees spent around $2 million.

The costs encompass monitoring and surveillance, investigation, response, containment, incident analysis, and remediation. 

Organizations implementing security controls to mitigate insider threats should consider the threat posed by external adversaries in their planning, says Larry Ponemon, chairman and founder of the Ponemon Institute.

"Our benchmarking suggests that while the number one insider problem is negligence, the most expensive are those involving credential theft," Ponemon says. "The issue is important because a lot of companies don't see credential theft as an insider threat."

Security incidents caused by insiders have been a long-standing issue for organizations. Former NSA analyst Snowden’s data leaks on the government’s surveillance operations back in 2012 is often cited as one of the most dramatic examples of the damage that an insider with privileged access to enterprise networks can do.

But such incidents are more than exception than the rule. A vast majority of insider breaches come from more banal causes such as someone inadvertently emailing or publishing a list containing sensitive data, or losing a mobile device with unencrypted files.

"The main takeaway is that not having the right people and the right technologies can be very costly for organizations," Ponemon says.

Companies should look beyond their existing security toolset and consider using behavioral analytics technologies to spot anomalous behavior, he says. They should also consider ramping up employee awareness and training as well, he adds.

"The training programs that companies have are just not very good," he says. "They are really focused on check-the-box compliance requirements to show everyone that your company is training on data protection."

Evidence shows that good training can make a difference. "But most companies are penny-wise and pound-foolish," Ponemon says.

The full report is here

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
9/26/2016 | 12:19:55 PM
Re: Dealing with insider threats
It seems easy to say: let's terminate negligent employees, but establishment of negligence vs. lack of training or even in some case tricky social engineering make it impossible to apply a fair rule in most of the cases.  There isn't any silver bullet and protecting data takes work and commitment, starting with a strong governance of who has access to what data vs. who should have access.
Chief Security Officer
50%
50%
Chief Security Officer,
User Rank: Apprentice
9/13/2016 | 9:15:22 PM
Dealing with insider threats
Periodic training and awareness must continue to be provided within the organization. However, I think this should be accompanied by organizations following through with consequences directed at the neglient employees. That is, lost of priviledges and perhaps even termination. An employee seeing these consequences leveraged against others may be even more cognizant of the training provided and implement principles of the same.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10763
PUBLISHED: 2019-11-18
pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attacker with limited privileges (classes permission) can achieve a SQL injection that can lead in data leakage. The vulnerability can be exploited via 'id', 'storeId', 'pageSize' and 'tables' parameters, using a payload for trigger a t...
CVE-2019-18215
PUBLISHED: 2019-11-18
An issue was discovered in signmgr.dll 6.5.0.819 in Comodo Internet Security through 12.0. A DLL Preloading vulnerability allows an attacker to implant an unsigned DLL named iLog.dll in a partially unprotected product directory. This DLL is then loaded into a high-privileged service before the binar...
CVE-2019-3423
PUBLISHED: 2019-11-18
permission and access control vulnerability, which exists in V2.1.14 and below versions of C520V21 smart camera devices. An attacker can construct a URL for directory traversal and access to other unauthorized files or resources.
CVE-2019-3424
PUBLISHED: 2019-11-18
authentication issues vulnerability, which exists in V2.1.14 and below versions of C520V21 smart camera devices. An attacker can automatically obtain access to web services from the authorized browser of the same computer and perform operations.
CVE-2018-20687
PUBLISHED: 2019-11-18
An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway 5.4.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.