Shadow brokers, Wikileaks, Edward Snowden, Eternal Blue, WannaCry… nearly every one of these people, exploits or groups is a household name today. They all have something in common too – insider threats. Without insider threats who breach – and leak – sensitive information, none of these names would have seen nearly as much success.
It’s probably easy to believe an insider threat may not be a serious concern for your organization, but nothing could be further from the truth.
The reality is that insider threats are a danger to all organizations, big and small. Worryingly though, around 30% of insiders will put your organization at risk without even knowing it.
The impact could be potentially devastating. Losses due to an insider threat can vary widely, but the one indicator which tends to remain consistent is that the average incident cost generally aligns with organization size. In 2016, large organizations with more than 75,000 employees, contractors, etc spent (on average) around $7.8 million to address and resolve a single insider threat incident, while organizations with between 1,000 and 5,000 employees and contractors spent an average of $2 million per incident.
Research from our Global Threat Intelligence Center (GTIC) further highlights the seriousness of insider threats.
About 10% of NTT Security incidents so far during 2017 have been related to insider breaches, consistent with incidents from previous years. This isn't to say that only 10% of companies are experiencing breaches or complications due to insider threats, but only that 10% of the companies have been asking for help are dealing with such breaches. While that number appears low, the characteristics of those engagements are actually more telling.
Since the beginning of 2016, only about 25% of insider breaches, for which NTT Security has been involved with incident response engagements, has been related to overtly hostile activity – an inside attacker stealing corporate resources or information. The remaining 75% of insider activity has been either accidental, or related to activity better classified as negligent, or perhaps “not compliant with corporate policy”.
What this tells us is that there are not always indicators of an insider who is about to wreak havoc on an organization from within. Organizations therefore need to better understand the insider threats they may not normally consider, and appreciate the insider threat is a very real threat.
Just as outside threats (i.e. hackers) are not wearing ski masks while they’re attempting to infiltrate your network, the insider threat may be the person in the office just down the hall – not every insider threat is a truly malicious insider.
While instilling a security-minded culture is a critical aspect of mitigating insider threat risk, assigning personal responsibility for protecting company data, as well as determining your organization’s risk profile, will contribute to a stronger security posture.
Look out for future posts on the types of insider threats (and how to mitigate them), or download our Q3 ‘17 Threat Intelligence Report for details.