The Insider Threat Spotlight Report (2016) has a number of compelling findings for any organisation that produces, stores or transmits sensitive data. The survey of 500 cybersecurity professionals suggests that the threat of insider agents – both malicious and unintentional – is growing by the day.
The insider threat is doubly dangerous because insiders have the opportunity and the means to steal, corrupt and otherwise damage data and systems. Citibank learned this lesson the hard way, when Lennon Ray Brown, a disgruntled Citibank computer engineer, decided to take revenge for a disappointing performance review by erasing the configuration code in nine servers. His actions caused 90% of Citibank networks across the US to lose connectivity.
According to the Insider Threat report, "Seventy-four percent of organizations feel vulnerable to insider threats. However, less than half of all organizations (42 percent) have the appropriate controls in place to prevent an insider attack."
Of course, preventing insider attacks is easier said than done. As Guy Bunker of Clearswift explained in an interview with Infosecurity, "The genie of company data is out of the bottle. In the old days company data sat on a server in the data center protected by access control and perimeter defenses. Now it's everywhere."
Employees expect freedom, autonomy and control. Employees want to bring their own devices to work and continue working when they get home. Employees unwittingly carry sensitive data onto trains, planes and taxis. The simple mistake of losing a smartphone becomes a potentially devastating act of corporate sabotage.
While the insider threat is difficult to manage, the potential financial penalties are highly motivating. "Over 75 percent of organizations estimate insider breach remediation costs could reach $500,000. Twenty-five percent believe the cost exceeds $500,000 and can reach in the millions."
A recent data breach affecting French naval contractor DCNS has lead the Indian government to shelve a planned order for three submarines, resulting in many millions of lost revenues.
So what can organisations do to reduce the risks that come from within? According to the survey, 62% of respondents think employee training – and greater awareness – is part of the solution. In fact, 72% of respondents are already offering training to employees on how to identify security risks.