The recently released 2020 Cost of Insider Threats Global Report, collated by Proofpoint and Ponemon, examined the causes of insider threats within organisations, as well as how risk is being minimised.
This research, which surveyed 204 organisations worldwide and examined over 4,000 incidents, defines insider threats as:
- A careless or negligent employee or contractor;
- A criminal or malicious insider;
- A credential thief.
“With all the technology out there that is available, there is still a massive blind spot in security today,” said Rob Bolton, GM International, ITM Business Unit at Proofpoint. “In general, this is the visibility into the activity of the users and the risk that activity may introduce.
“In our world, we define users as anyone who has legitimate access to systems or data, and this can refer to any provider to the organisation or across the supply chain.”
The research found that nearly two-thirds (62%) of insider incidents examined pertained to employee or contractor negligence, while 23% were caused by criminal or malicious insiders, and the remaining 14% were related to credential theft, also known as imposter risk.
The role of Covid-19
With most employees working remotely for much of 2020, since the Covid-19 pandemic took hold, Bolton believes that any correlation between the 47% increase in cyber threats and this sudden shift “would be tough to deny”.
He explained: “Many of the security controls that organisations put in place are predicated on the worker being at the place of work to consume a lot of those controls. Even around 10 years ago, we saw this shift, people are the new perimeter and ‘work’ is something we do not a place where we go.
“Covid has certainly accelerated changes to the way we work and organisations are having to rethink the security solutions that they provide. Now, they are needing to prepare for this reality of ‘work-from-anywhere’: any user, across any device and any network. It’s simply tough for organisations”.
“Insider threats are a human problem, and our work and homes lives are becoming intertwined. This brings fatigue and carelessness; we may move files to personal cloud sharing platform, which in itself isn’t a malicious act, but often it doesn’t adhere to the best security standards or company policy.
“With Covid, we’ve seen increases in data exfiltration, shadow IT resource consumption and productivity issues, all of which may introduce additional risk into the work environment. At Proofpoint, we help organisations to look at and care about changes in employee activities in relation to the systems and sensitive data they interact with – as it’s now more important than ever to ensure that critical systems and IP are protected before an insider breach takes place.”
3 tips for supercharging your remote workforce with AI and automation
The Ponemon research goes on to address how much organisations have been spending in various security cost activity centres. On average, companies spend $644,852 per incident, with the seven activities consisting of the following:
- Containment: stopping or lessening severity ($211,553)
- Remediation: repairing and remediating systems and processes ($147,776)
- Incident Response: formation and engagement of the incident response team ($118,317)
- Investigation: uncovering source, scope and magnitude of attacks ($103,798)
- Monitoring and Surveillance: reasonable detecting and deterring attacks ($22,124)
- Escalation: raising awareness among key stakeholders ($21,805)
- Ex-post Analysis: helping to minimise future incidents ($19,480)
“If you dissect an incident and look at its anatomy, companies tend to start with monitoring and surveillance, and that is primarily driven by technology,” said Bolton. “As you work through monitoring and surveillance, escalation and containment, the shift from the direct costs of technology lessens, while the overall costs increase and indirect costs increase.
“25% of costs, direct or indirect, is on people, while 21% is on technology. To increase effectiveness and reduce cost, organisations should shift that cost to the monitoring and surveillance at the start, which helps identify the behaviour that introduces those risks in the first place.”
Over the last three years, activity centres in general saw spending rise by 60%. While remediation proved to be the second most costly area of security activity, expenditure over this period grew by the lowest amount (47%). Spending on investigation, meanwhile, grew the most (86%).
Time spent on containment
When examining the time spent by companies to contain insider incidents, those surveyed revealed an average of over two months (77 days).
35% spent more than 90 days, while 32% spent between 61 and 90 days, 20% between 30 and 60 days, and 13% less than 30 days.
“I have great sympathies for security operations teams, because they have a really difficult job,” said Bolton. “The threat landscape is constantly evolving, there’s a growing attack surface, and unfortunately, technology, with the best intent, has made security operations harder.
“Technologies used for security provide data and logs, but these technologies often aren’t interoperable, and each tool has its own view of what’s good and bad in the world based on its own threat intelligence. We also have a reduction in skilled resources, and the crux of the insider threat issue is that 76% of these incidents are caused by people who have no intent to harm their work environment.”
Forrester releases privacy and cyber security predictions for 2021
Reducing insider risk
When asked what measures are being put in place to reduce the threat of insider incidents, the most frequently cited tools and activities included user training & awareness (55% of companies), data loss protection (DLP, 54%), and user behaviour analytics (UBA, 50%).
Network traffic intelligence (38%) and privileged access management (PAM, 39%) were the least common measures listed in the report. However, PAM was found to be among the most effective, with companies saving an average of $3.1 million, second only to UBA ($3.4 million).
“Focus and completeness of solutions here are limited,” explained Bolton. “Network teams have used traffic intelligence for years, but modelling and capacity in security, while possibly finding anomalies, has no blocking or contextual knowledge in place.
“PAM’s an interesting one, because in theory it’s a great concept, with privileged users getting higher levels of access to sensitive data, which makes monitoring in this area important. However, insider threats aren’t limited to just privileged users.
“At Proofpoint, we view a modern people-centric approach as the right way forward for security teams. This provides the necessary context, the “who”, “what”, “when”, “where” and “why” of the incidents. Organisations should think less about the particular type or provider of the technology, and instead, look at how to get the right data in the hands of security staff much faster to allow them to do their jobs and select vendors through that lens.”
This article was written as part of a paid partnership with Proofpoint