When assessing cybersecurity risks, it’s natural to devote significant attention to external threats. A recent survey by Ernst & Young LLP underscored rising concern about hacktivists, syndicates and state sponsors of cybercrime, which together were cited as more problematic than the “insider threat” – the blanket term denoting risk from both accidental and malicious activity by parties within or close to an enterprise – that has made so many headlines in recent years. In fact, internal risks topped the survey’s results in the previous two years, but lost the crown in 2014.
Is the insider threat really becoming less of a concern?
However, it’s not clear that the insider threat has actually lost any ground to its external counterpart, let alone become something CIOs and security teams can start paying any less attention to. Within the public sector in particular, the insider threat is alive and well and potentially becoming more serious, in contrast to Ernst & Young’s findings:
- A survey of 200 federal IT decision-makers, conducted by Market Connections on behalf of Fort Meade Alliance, found that “misuse” (i.e., not following policies for endpoint and network security) was the top risk identified by respondents. Fifty-two percent of them ranked it as a “prolific” threat.
- At that level, misuse was slightly ahead of phishing and malware (cited by 49 and 47 percent, respectively) and comfortably ahead of cyberespionage (15 percent). Data breaches, cited by 33 percent of IT personnel, were in the middle of the pack.
- New security systems were seen as the top investment priority in the near term, with two-thirds of executives regarding them as opportunities in the coming year. Further employee education and the creation of additional policies were close behind.
So which is it? Is the insider threat waxing or waning as a priority relative to traditional, external cyberattacks? This may be the wrong question to ask, or at least a false dichotomy, since enterprises obviously must cover all bases and catch issues whether they originate from within or outside. But it’s worth probing how the insider threat differs from one industry to the next – the discrepancy between the two surveys cited above is a good start.
The insider threat’s prevalence in white-collar private and public sector organizations
The insider threat has been a chief concern for years in the cybersecurity community. Experts have long outlined how the damage from deliberate or unwitting acts by company workers, suppliers and contractors could rival that of an external attack.
That’s to say that the insider threat was on the radar well prior to the National Security Agency data leakage in the summer of 2013, which is likely the most analyzed insider event, in terms of its cybersecurity ramifications, in history. In the fall of 2012, Trend Micro’s Tom Kellermann participated in a panel about the “accidental insider,” the label for an employee who puts an organization at risk without realizing it. Taken together, the NSA incident, which was caused by deliberate action, and the prospect of accidental insiders illustrate the wide range of forms that the insider threat can take.
With the insider threat, it’s also important to realize that incidents both intentional and accidental are underreported due to concerns about negative publicity, according to a report from the Software Engineering Institute at Carnegie Mellon University. Still, the numbers that we do have paint a picture of loosely followed policy and persistent risk:
- A separate document from the SEI at Carnegie Mellon found that 50 percent of companies suffered an internally-initiated cyberattack in 2012. The insider threat, in one form or the other, accounted for 23 percent of all cybercrime that year.
- A Loudhouse survey from earlier this year estimated that 58 percent of all information security incidents among U.K. organizations had insider origins. Trends such as growing introduction of bring-your-own-device policies were cited as key contributors to the rise of insider-related risk.
- A Raytheon Company report discovered that while most privileged users realize that the insider threat is cause for concern, must feel that they don’t have the wherewithal yet to deal with it. Eighty-eight percent of respondents reported that they would have difficulty identifying what an insider threat looked like.
It’s an open question whether the insider threat is overrated or underrated. On the one hand, it has caused plenty of damage (e.g., it contributes to the multi-trillion dollar fraud-related losses worldwide every year), but so have outside cybercriminal syndicates and nation-states. For example, recent high-profile, sophisticated retail breaches such as the one last winter at Neiman Marcus were the products of professionals.
Ultimately, the gravity of the insider threat varies from one sector to the next. Government agencies, like the ones surveyed by Market Connections, appear highly conscious of the risks of insider activity as well as what basic mitigation strategies are available. Many white-collar organizations are well-versed in the cybersecurity and human resources measures – from keeping tabs on cloud services to enabling remote device wipe – that are essential for curbing malicious and accidental insiders, but not all companies are.
The insider threat and critical infrastructure
Enterprises that operate in critical infrastructure areas such as oil, gas and water are common victims of data breaches. A Ponemon Institute report found that 70 percent of firms in critical infrastructure suffered a breach between the summers of 2013 and 2014.
The impact of insiders on cybersecurity in critical infrastructure, however, requires more attention. The U.S. Department of Homeland Security raised concerns in its Insider Threat to Utilities report in 2011, and the warnings about what individuals could do to sabotage critical systems are still worth heeding.
“We judge that disgruntled and unstable employees in the utilities sectors will continue to pose a potential threat to the utilities sectors based on their access and intent,” wrote the report’s authors. “We judge that cyberattacks against utility-sector systems have the potential to cause significant damage and will continue to be a primary threat.”
The insider threat as a coherent, carefully analyzed category is still relatively new, especially compared to the years of research and prevention efforts that have been devoted to viruses, malware and general cybercrime. For enterprises, it’s important to continue learning from what has and hasn’t worked so far in terms of lowering risks. Are BYOD policies strict enough? Is enterprise network security adequate for protecting privileged data?
Regularly reviewing these questions is a start. Solid endpoint security and antivirus protection can shore up the organization against risk and enable security teams to better address both internal and external threats.