Report: Little Being Done to Combat Insider Threats
Despite high profile cases of employees stealing information from intelligence agencies and the military, companies and organizations are taking few steps to thwart insider threats, a recently released report said.
“This is mind boggling considering the sensitivity of this data. This is one of the most alarming trends and it has gotten worse but no one is doing much of anything to combat it,” said Holger Schulze founder of LinkedIn’s Information Security Community, which comprises more than 260,000 cyber security professionals.
A survey of 500 cyber security professionals in the community showed that the concern about insider threats is growing but organizations are not increasing their budgets accordingly. “Everyone has the same perception. Everybody is experiencing the same issues,” Schulze said.
Seventy percent of respondents said insider threats have grown in frequency within the past 12 months, and that they feel moderately to extremely vulnerable to such attacks. Only 34 percent said that they expect their organizations' budgets to address the issue, according to the report, "Insider Threat Spotlight Report," sponsored by Vectra Networks, a cyber security firm.
Sixty-two percent said insider attacks are far more difficult to detect and prevent than external attacks, as insiders already have credentialed access to sensitive information and systems. That makes it harder to spot red flags.
Respondents included executives, managers and IT security practitioners representing organizations of varying sizes across many industries, according to the report.
Schulze said attitudes are similar to those experienced years ago when companies and government organizations didn't take cyber espionage seriously. They didn't want to invest money into preventing an attack that might not happen.
“It was like investing in security was like investing in insurance,” Schulze said. “Five years ago there was a possibility that you couldn’t get hacked, but now there’s almost 100 percent certainty that you will. It’s not a matter of 'if,' it’s a matter of 'when.'”
Less than 50 percent of organizations actually have appropriate strategies to prevent internal attacks, with just 21 percent continuously monitoring user behavior within their network, the report said.
“It all comes down to organizational priorities, complacency and legal pressure,” Schulze said. “There seems to be this dichotomy with insider threats and attacks and damage going up, but at the same time only less than half of these entities are considering raising budgets to combat threats.”
There are some relatively simple steps cyber security professionals within organizations can do to detect an employee stealing data or intellectual property, he said.
“There needs to be an implementation of database monitoring for suspicious behavior," he said. Employees looking up sensitive data at 2 a.m., for example, in large quantities, should set off some kind of alarm, Schulze said. “There needs to be a better implementation of basic policies. Data should only be available on a need-to-know basis. There should be a separation of duties so that not that many people have access to information outside of their own work. If you’re not encrypted, get encrypted.”
The biggest threat to insider security breaches are privileged users such as managers because they have the most access to sensitive information, the report found. The second biggest threat are company contractors and consultants, with regular employees coming in third.
“That makes combating these issues in defense spaces even harder because these are the people that we trust with our data,” he said. “They may look like a trusted employee of a government entity but they can be working for another entity. They could be disgruntled employees. They could be motivated by money.”
However, background checks may not be the answer. “Background checks don’t get everything. They can’t look into someone’s mind and intentions,” Schulze said. Increasing the frequency of background checks may help, but it is only a piece of the “multilayered problem that needs a multilayered solution." Frequent checks may not be realistic, Schulze said.
“I don’t think there is an easy answer — that’s the crux of it. If that was the case, we would have solved this years ago,” Schulze said.
Vulnerabilities are caused by deficient data protection strategies, more sensitive data being moved beyond firewalls and onto mobile devices, and a lack of employee training and awareness, the report found.
“Risks come with modern day trends — such as moving information to cloud-based programs and use of mobile devices — and it has impacted security,” Schulze said.