According to the SANS 2015 Survey on Insider Threats, out of 770 information security professionals in a range of industries and sizes of organization interviewed to compile the information, 74% of are worried about the insider threat faced by their organizations. What is even more alarming to me is that 32% of those concerned about the threat reported they had no systems in place to prevent a potentially devastating security incident, which could lead to financial loss and brand and reputation damage.
Insider Threats are difficult to prevent because the bad guys look like everyone else.
Also alarming was the fact that many of the respondents appeared to have limited visibility into the problem. If you cannot see the problem you certainly cannot hope to fix it.
Over half (52%) of those interviewed stated that they are not able to even calculate what the potential damage to the organization would be from such an attack, and an alarming 44% don’t even know how much the company is spending to attempt to prevent insider threat. What is going on here?
Well I think I have an answer to that question. The respondents stated that lack of training, not enough in the budget, and a shortage of qualified staff were the three main reasons why their defenses are floundering. But of even more concern to me is that 28% of respondents claimed that preventing insider threats isn’t even a priority. I guess organizations are so concerned about the threat from hackers that they don’t have the time or the money to deal with a potential inside threat. What they are not getting is that hackers often become “insiders” by obtaining the credentials of trusted employees in order to perpetrate their crimes.
Only 34% of respondents said they had suffered an insider breach. Perhaps this is their rationale for not worrying about it too much, although I think 34% is quite significant. The thing is that this number is probably not even accurate because the respondents admitted that they lack of adequate detection tools.
66% of the respondents stated that they either don’t have an insider response plan or have no incident response plan at all. I find that quite shocking in this time of constant security breaches.
Here are a few of my observations on this issue:
1. Many organizations put its security at risk by removing internal safeguards that might detect or prevent insider threat in order to maintain staff productivity levels. I realize that getting the job done is important, but it should not be at the expense of good security measures.
2. Many employees are given full administration rights without proper accountability. This provides an opportunity to perpetrate an insider attack with a low risk of being detected. Without privileged administration controls there is no way for security professionals to control this “security blind spot.”
3. Many companies fail to enforce a strong password policy, and many passwords are replicated and known throughout an IT team. When this happens it becomes very easy for a person to find the access they require to do their nefarious deeds.
If organizations want to lessen the problem of insider threat they should implement two-factor authentication, coupled with privileged access controls and ensure system administrators only have the passwords required to access systems for which they are responsible. Organizations must also invest in preventing and/or detecting insider threats, such as spearphishing and access abuse, which will also help to stop more advanced external attackers. After all, if the bad guys cannot get to the systems in the first place, they cannot elevate their privileges and do more damage. Many of the more effective prevention and detection strategies used to protect against external attackers will prevent and detect internal threats just as easily.
Learn more about combating insider threat here
Cole, E. (2015). Insider Threats and the Need for Fast and Directed Response. SANS. Retrieved from http://lp.spectorsoft.com/corp/sans-survey-report