By: Shawn M. Thompson, Esq.
The debate surrounding this topic is not unlike a heated debate between two ideologically opposed individuals discussing politics. Each feels strongly that they are “right,” and each feels equally compelled to change the other person’s viewpoint, or metaphorically beat them into submission. Facts are often irrelevant in such political discussions. Here to, facts are often fuzzy at best and are largely based on anecdotal “research” or incongruent proxies. “[Insiders/Outsiders] are the greatest threat to businesses because [some study said so],” is a common remark. In reality, what they’re really saying is that they cherry-picked a “study” that fits their narrative for what they’re selling . . . or arguing.
In full disclosure, as anyone can observe from the name of my company, I’m clearly in the business of managing “insider threats.” That said, I’ll attempt to take an objective and unbiased look at the facts and you can determine the answer for yourself.
What is the Answer?
The answer depends on who, what, and how you ask the question. There are two primary sources that serve as proxies and that are used to approximate the size of the problem.
The first are surveys, which are largely anecdotal responses to general questions pertaining to insider threat. Some companies such as Vormetric and the Ponemon Institute regularly sponsor such surveys.
The second primary source of information is from data on actual breaches and compromises of information. Companies such as Verizon and IBM conduct regular research in this area. Moreover, the Association of Certified Fraud Examiners issues an annual report on the extent of “occupational fraud,” which is an excellent measure of insider fraud events.
There are, however, numerous measurement problems that make it difficult to assess the true nature and size of the insider threat problem.
Lack of Definitions
There is a common misunderstanding of exactly what makes an insider a threat. I’ll explore this in more detail in a subsequent blog, but for our purposes here most people narrowly define “insider threat” in the context of malicious network activity. In other words, careless employees, employee theft, fraud, sabotage, and physical violence are all left out of this definition (a sizeable portion as will be discussed in a subsequent blog).
There is also a lack of consistent definitions between these surveys and studies themselves as each uses differing terminology related to insider threat incidents, events, and breaches. Verizon and IBM for example, focus on breaches and attacks and narrowly define it as a confirmed disclosure to an unauthorized individual or emanating from identified IP address.
Lack of Reporting Requirements
Lack of reporting requirements is another factor. Healthcare and other breach notification reporting requirements notwithstanding, there are no requirements for reporting insider threat events.
There is a consensus that most insider threat activities are largely underreported both inside an organization as well as to external sources. There is also a general sense and an incentive to “keep quiet.” Most companies do not pursue criminal charges for this reason.
Limited to Network-centric Actions
Insider threat also tends to be lumped in with studies examining computer intrusions. This leads to a network-focused context that ignores a sizable component and source of insider threat activity.
What do the surveys tell us?
According to surveys, insider threat is a growing problem. Most companies have experienced an increase in insider threat incidents with most organizations experiencing more incidents within the last year.
Surveys also suggest, that organizations are not prepared to prevent, detect, or manage insider threats. Most organizations do not have controls in place to monitor insider threats and only about a third regularly monitor user behavior.
Organizations also feel highly vulnerable to insider attack. Surveys routinely highlight that greater than 90% of organizations feel vulnerable or highly vulnerable to insider attack.
Willingness to Engage in Threat Activities
Surveys also highlight the willingness of insiders to engage in threatening activity. According to Symantec, 50% of employees retain confidential data (corporate strategy documents and IP are the most cited) upon leaving the organization, with other studies showing over 85%. This figure jumps to 90% when the employees are fired or involuntarily separated (Deloitte 2016). Moreover, nearly half of these individuals intend to use the data to advance their career in their new job. Furthermore, 62% believe it is acceptable to transfer work documents to personal devices or online sharing applications, which further increases risk.
What does the actual data tell us – “Apples and Oranges”
Studies such as those conducted by Verizon and IBM, are little like comparing apples and oranges when using data breaches as a proxy for insider threat events. For example, according to Verizon’s study, only 20% of “breaches” are carried out by insiders. This is a bit misleading, however, as a breach is defined by Verizon as a “confirmed” disclosure of data to an unauthorized party. A breach is thus much more easily ascribed to an outsider since, by definition, they are an unauthorized individual. Whereas an insider, by definition, has some level of authorized access resulting in much more difficulty in proving a breach, as so defined. When one looks at “security incidents,” however, the level of insider involvement rises to 69%, according to Verizon. An incident is defined as a security event that compromises an information asset. The incident metric appears more reliable in determining the true level of insider threat involvement.
According to IBM, the percentage of “attacks” carried out by insiders is 60%. This initially seems straightforward, however, IBM defines an “attack” as a “security event that has been identified by network tools as ‘malicious’ and sourced to an IP address.” This definition ignores unintentional insider threat events as well as any insider threat event that cannot be sourced to an IP address. Thus, the true number of insider threat events is likely much greater than 60%.
According to a study by the Ponemon Institute of 54 companies and nearly 900 security incidents, the percentage of insider threat incidents was 90%, of which 75% were attributed to Careless Insiders.
By comparison, during roughly the same time frame as the Verizon study, the Association of Computer Fraud Examiners in their 2016 report collected and analyzed 2,410 actual cases of fraud, which they defined as: Corruption, Asset Misappropriation, and Financial Statement Fraud. This figure is larger than the total number of “breaches” reviewed by Verizon and further supports that 1) insider involvement is much more than network activity and 2) is likely much higher than the either the Verizon or IBM figure of +60%, since they limited their definition to “network based attacks” and the great majority of the ACFE cases fall outside of this scope.
Lastly, according to most research, 90% of external attacks are facilitated by insiders . . . so even traditional “external” attacks have a large insider component!
What’s the reality?
Both surveys and actual data studies confirm the existence of a formidable and sizable insider threat problem. The exact scope and size of which is difficult to assess. Educated assessments, however, strongly suggest that insiders are responsible for the majority of security events.
Insider threat is a growing problem and one that is still not fully understood. Both surveys and studies suggest an increase in insider threat events.
The data also strongly suggests that insiders are responsible for the majority of security events. Care must be taken when reviewing these studies and surveys, to determine the scope, methodologies, and definitions that have been used.
Lastly, organizations feel highly vulnerable to insider threats. This is both a result of the foregoing data points, but also the fact that few organizations have the necessary insider threat controls in place to obtain the visibility necessary to prevent, detect, and mitigate these threats.
Both insiders and outsiders represent threats to an organization. Each pose different challenges and require differing approaches to manage. While the foregoing facts suggest that insiders do pose a greater threat, each must be formally managed and accounted for in any responsible corporate risk management program. Unfortunately, to date, most of the “security” dollars have been allocated to managing network security events and beefing up perimeter security defenses. Perhaps this discussion will serve as an epiphany of sorts to reexamine that model and ensure that both insiders and outsiders are adequately addressed by your organization.