The Enemy Within: Identifying Insider Threats in Your Organization
Security professionals and managers are increasingly concerned that the leading information security risk to organizations comes from within. But despite the sinister overtones of this problem, insider threats are associated more with accidents and oversights than malicious actors.
The danger is amplified by shortfalls in training and expertise, and the challenge of protecting against threats that arise from within the basic security perimeter of the organization itself. Further complicating matters is the fact that the greatest risk comes from administrator accounts and privileged users.
A Fine Line
A crowd-based survey of 300,000 members of the LinkedIn Information Security Community, conducted by Haystax Technology, revealed growing concern about insider threats. Nearly three-quarters (74 percent) of the respondents said they felt exposed to insider threats, while 56 percent reported that insider attacks had increased in the last 12 months. Meanwhile, almost half (49 percent) were uncertain whether their own organizations had experienced such an attack.
While much of the survey explored deliberate threats and attacks, survey respondents were more concerned about accidental breaches or data leaks (71 percent) and negligent breaches (69 percent) than malicious breaches (61 percent).
The rise of social engineering threats such as phishing has surely heightened concern that insiders might be tricked into exposing data. But the line between pure mishap and negligence can be tricky to draw. Similarly, a malicious outsider might target specific data, then exploit an employee’s carelessness to gain access to it.
Targeting the Basics
For malicious insiders, the primary motive is the oldest and most familiar of all: money. CIO Insight noted that 55 percent of insider attacks sought to monetize sensitive data. Committing fraud accounted for 51 percent, with sabotage, theft of intellectual property (IP) and espionage all in the 40-percent range.
The leading specific target of insider attacks is customer data, followed by financial data and IP. Credit card account numbers are catnip for bad actors.
The leading specific point of vulnerability also has a familiar ring: Endpoints are implicated in 57 percent of attacks, far ahead of mobile devices (36 percent), networks (35 percent) and the cloud (20 percent). This may reflect the basic reality that internal endpoints are unavoidable since old-fashioned desktop endpoints still sit on practically everyone’s desk.
Identifying Insider Threats
The group most implicated is administrators and other privileged users, who were identified by 60 percent of survey respondents. These are the users in the best position to carry out a malicious breach, and whose mistakes or negligence could have the most severe effects.
They are closely followed by contractors, consultants and temporary workers (57 percent), who may be less loyal to the organization or insufficiently trained in its systems. Employees and privileged business users account for 51 and 49 percent, respectively, while executive managers trail far behind at 31 percent.
In short, insider threats take familiar forms, but the effects are amplified because they come from within and thus don’t have to kick down the door to the organization’s network. That said, survey respondents identified insufficient data protection strategies or solutions as the leading reason why insider threats are growing. The best protection against risks from within, as well as against all threats, is a strong institutional focus on security basics.