More than Just a Headache: The True Impact of Insider Threat
In a previous blog, the size and scope of the threat posed by trusted insiders was examined and insiders were determined to be involved in the great majority of security incidents – greater than 90%. Building on this conclusion, we now turn to the types of impacts that insider threats can have on organizations (costs of specific insider threat events will be examined in a subsequent post). Impacts refer to adverse effects an organization experiences as a result of a security event. These impacts, or adverse effects, generally fall into five categories: value, operations, reputation, culture, and liability.
Value refers to the monetary qualities of the business. There are three categories of value: market value, intrinsic value, and revenue.
Insider threat events can have a direct impact on the market value of a business. For example, when the arrest of former Booz Allen contractor Harold Martin was announced, Booz Allen’s share price immediately fell by 5%. Another example involved an auditor for a large company who embezzled $5 million. Upon public disclosure of his arrest, the stock plunged 10%.
Insider threat events can also have a direct impact on the intrinsic value of a business since intellectual property comprises 50 to 80% of the businesses value. Theft of new product designs and strategies can have catastrophic consequences.
Insider events can also directly impact revenue. The intellectual property theft at American Superconductor immediately resulted in the loss of $800 million in revenue. According to Cisco, nearly one-third of businesses that suffered a breach lost more than 20% of their revenue. That’s real money!
Operations refers to the ability of a business to execute its mission. There are three general categories of operational impact: operational disruption, increased overhead, and remediation costs.
Operational disruption is difficult to quantify but includes unplanned expenses, increased staffing, inability to deliver goods and services, and excessive or new R&D costs. A detailed study by Deloitte, estimated that for a large company that suffered intellectual property theft, the five-year operational disruption cost would be a whopping $1.2 billion!
Increased overhead due to necessary cyber security improvements, staff retraining, etc. also impact business operations and can exceed $13 million for a large corporation.
According to the Ponemon Institute, the average remediation costs was $4.3 million in 2016, but decreased to $3.6 million in 2017. However, according to Deloitte, the remediation costs can be much higher and exceed over $10 million. This is of course, largely fact specific depending on the size of the organization, the degree to which the organization was harmed, and the required mitigation actions needed.
Reputation impact can be assessed by examining three areas: public relations expenditures, customer relationships, and the devaluation of trade names. Reputation, although difficult to quantify, is often the second most affected aspect of the business following a compromise – second only to value. According to 24% turnover each year and most employees only stay 4.5 years in a position – millennials stay even less at two years on average. This results in financial and logistical problems, but also data protection problems. According to research, most employees intentionally take confidential data with them when they leave and most will seek to use this to the detriment of the organization. Add a significant corporate impact such as a data breach to this equation and the impact on culture is dramatically magnified. This can result in additional turnover, increased distrust, and an eroding of morale all which can exacerbate the effects of a breach. In short, culture shapes everyday behavior and a bad culture will lead to bad behavior.
Liability refers to the external costs that are levied on an organization. Liability costs include compliance fines, breach notification costs, increased insurance costs, and litigation costs including attorney fees. These costs can be large ranging from $20 per record per customer breach, to $3 million in litigation costs, 200% increase in insurance costs, and fines that can exceed $1 million. Moreover, litigation settlements can exceed tens of millions of dollars for large breaches.
Insider threats can have a profound impact on an organization. Beyond the lost value of the asset that was removed, disclosed, or destroyed, organizations can suffer immediate losses of intrinsic value as well as lost revenue. The ability to deliver goods and services may also be adversely impacted as well as damage to reputations – both corporate and individual (see Target firings). Lastly, an insider event may impact the culture of an organization which can lead to increased turnover and distrust, further exacerbating the effects of the breach and increase security vulnerabilities.
Who’s the Bigger Threat: Insiders or Outsiders?
The debate surrounding this topic is not unlike a heated debate between two ideologically opposed individuals discussing politics. Each feels strongly that they are “right,” and each f eels equally compelled to change the other person’s viewpoint, or metaphorically beat them into submission. Facts are often irrelevant in such political discussions rather giving way to ideological sympathies. Here to, facts are often fuzzy at best and are largely based on anecdotal “research” or incongruent proxies. “[Insiders/Outsiders] are the greatest threat to businesses because some study said so,” is a common remark. In reality, what they’re really saying is that they cherry-picked a “study” that fits their narrative for what they’re selling . . . or arguing.
In full disclosure, as anyone can observe from the title of this blog and the name of my company, I’m clearly in the business of managing “insider threats.” That said, I’ll attempt to take an objective and unbiased look at the facts and you can determine the answer for yourself.
What is the Answer?
The answer depends on who, what, and how you ask the question. There are two primary sources that serve as proxies and that are used to approximate the size of the problem.
The first are surveys, which are largely anecdotal responses to general questions pertaining to insider threat. Some companies such as Vormetric and the Ponemon Institute regularly sponsor such surveys.
The second primary source of information is from data on actual breaches and compromises of information. Companies such as Verizon and IBM conduct regular research in this area. Moreover, the Association of Certified Fraud Examiners issues an annual report on the extent of “occupational fraud,” which is an excellent measure of insider fraud events.
There are however, numerous measurement problems that make it difficult to assess the true nature and size of the insider threat problem.
Lack of Definitions
There is a common misunderstanding of exactly what makes an insider a threat. I’ll explore this in more detail in a subsequent blog, but for our purposes here most people narrowly define “insider threat” in the context of network activity. In other words, employee theft, fraud, sabotage, and physical violence are all left out of this definition (a sizeable portion as will be discussed in a subsequent blog).
There is also a lack of consistent definitions between these surveys and studies themselves as each uses differing terminology related to insider threat incidents, events, and breaches. Verizon and IBM for example, focus on breaches and attacks and narrowly define it as a confirmed disclosure to an unauthorized individual or identified IP address.
Lack of Reporting Requirements
Lack of reporting requirements is another factor. Healthcare and other breach notification reporting requirements notwithstanding, there are no requirements for reporting insider threat events.
There is a consensus that most insider threat activities are largely underreported both inside an organization as well as to external sources. There is also a general sense and an incentive to “keep quiet.” Most companies do not pursue criminal charges for this reason.
Limited to Network-centric Actions
Insider threat also tends to be lumped in with studies examining computer intrusions. This leads to a network-focused context that ignores a sizable component and source of insider threat activity.
What do the surveys tell us?
According to surveys, insider threat is a growing problem. Most companies have experienced an increase in insider threat incidents with most organizations experiencing more incidents within the last year.
Surveys also suggest, that organizations are not prepared to prevent, detect, or manage insider threats. Most organizations do not have controls in place to monitor insider threats and only about a third regularly monitor user behavior.
Organizations also feel highly vulnerable to insider attack. Surveys routinely highlight that greater than 90% of organizations feel vulnerable or highly vulnerable to insider attack.
Willingness to Engage in Threat Activities
Surveys also highlight the willingness of insiders to engage in threatening activity. According to Symantec, 50% of employees retain confidential data (corporate strategy documents and IP are the most cited) upon leaving the organization, with other studies showing over 85%. This figure jumps to 90% when the employees are fired or involuntarily separated (Deloitte 2016). Moreover, nearly half of these individuals intend to use the data to advance their career in their new job. Furthermore, 62% believe it is acceptable to transfer work documents to personal devices or online sharing applications, which further increases risk.
What does the actual data tell us?
Apples and Oranges
Studies such as those conducted by Verizon and IBM, are little like comparing apples and oranges when using data breaches as a proxy for insider threat events. For example, according to Verizon’s study, only 20% of “breaches” are carried out by insiders. This is a bit misleading, however, as a breach is defined by Verizon as a “confirmed” disclosure of data to an unauthorized party. A breach is thus much more easily ascribed to an outsider since, by definition, they are an unauthorized individual. Whereas an insider, by definition, has some level of authorized access resulting in much more difficulty in proving a breach, as so defined. When one looks at “security incidents,” however, the level of insider involvement rises to 69%, according to Verizon. An incident is defined as a security event that compromises an information asset. The incident metric appears more reliable in determining the true level of insider threat involvement.
According to IBM, the percentage of “attacks” carried out by insiders is 60%. This initially seems straightforward, however, IBM defines an “attack” as a “security event that has been identified by network tools as ‘malicious’ and sourced to an IP address.” This definition ignores unintentional insider threat events as well as any insider threat event that cannot be sourced to an IP address. Thus, the true number of insider threat events is likely much greater than 60%.
According to a study by the Ponemon Institute of 54 companies and nearly 900 security incidents, the percentage of insider threat incidents is 90%, of which 75% are attributed to Careless Insiders. By comparison, during roughly the same time frame as the Verizon study, the Association of Computer Fraud Examiners in their 2016 report collected and analyzed 2,410 actual cases of fraud, which they defined as: Corruption, Asset Misappropriation, and Financial Statement Fraud. This figure is larger than the total number of “breaches” reviewed by Verizon and further supports that 1) insider involvement is much more than network activity and 2) is likely much higher than the IBM figure of 60%, since they limited their definition to “network based attacks” and the great majority of the ACFE cases fall outside of this scope.
Lastly, according to most research, 90% of external attacks are facilitated by insiders . . . so even traditional “external” attacks have a large insider component!
What’s the reality?
Both surveys and actual data studies confirm the existence of a formidable and sizable insider threat problem. The exact scope and size of which is difficult to assess. Educated assessments, however, strongly suggest that insiders are responsible for the majority of security events.
Insider threat is a growing problem and one that is still not fully understood. Both surveys and studies suggest an increase in insider threat events.
The data also strongly suggests that insiders are responsible for the majority of security events. Care must be taken when reviewing these studies and surveys, to determine the scope, methodologies, and definitions that have been used.
Lastly, organizations feel highly vulnerable to insider threats. This is both a result of the foregoing data points, but also the fact that few organizations have the necessary insider threat controls in place to obtain the visibility necessary to prevent, detect, and mitigate these threats