Warning against unintentional insiders
IT security teams focus primarily on defending their organizations against outside attacks that they completely ignore a threat with far greater damage potential. That's the finding of a new survey of cybersecurity experts recently published by the SANS Institute.
According to Study of the SANS Institute 76 percent of security and IT professionals surveyed said the greatest potential damage could come from a security incident brought about by an in-house or external employee with appropriate access rights. The threat is growing steadily, with 40 percent of respondents saying they consider an insider attack to be very dangerous. Another 36 percent also view unintentional insider attacks as critical to their own security measures. Only 23 percent said the greatest damage was caused by outside attacks. Yet only 18 percent have an incident response plan for insider threats in place, and 49 percent said they are currently working on it. The threat has apparently been underestimated for a long time.
Loophole comes from the insider
As corporate protection against outside attacks becomes more effective, attackers are looking for easier targets. These include users who already have access to highly sensitive corporate information and are more easily fooled than security systems. Companies are slow to respond. Although the origin of the attack is outside, the critical loophole for the attacker may have been an insider. Perhaps the attacker had no malicious intent and was simply tricked by an outsider into causing damage (copying data, making transactions).
Only a small proportion seem to have any idea how much damage is involved. 45 percent of respondents were unable to quantify the cost of a potential loss. At the same time, 33 percent answered that they could not provide any information. The other figures ranged from 100,000 to 5 million US dollars. This seems surprising at first. However, only a few companies reported having insider detection programs that were thorough enough to reliably detect internal threats. The same visibility deficit would make it difficult to determine the extent of a potential insider attack or estimate the subsequent recovery costs.
Insiders with malicious intent as a threat
The survey results show that 62 percent of the study participants have never experienced an internal attack. In some circumstances, this indicates low visibility, but not automatically low risk. 38 percent of respondents described the systems and methods they use as ineffective. This makes it even less likely that they could identify an insider attack occurring.
Lack of visibility is one thing, lack of preparation is another. That's because nearly one-third (31%) of study participants reported not implementing a formal program or preparations to deal with threats from within.
"While intentional insiders acting with criminal intent always pose some risk, many organizations forget that an external attack often targets a legitimate insider and entices them to do damage," explains SANS instructor and study author Eric Cole. "This accidental insider could be used as a way by the attacker to take the most sensitive data out of an organization without anyone noticing. And few companies even know that such an incident has occurred."
"Insiders with malicious intent have always been a threat, but the risk grows when insiders who are unintentionally supposed to be inconspicuous give out information to a fake help desk or click on attachments that download malware to steal passwords."
