Poor data hygiene a leading cause of costly insider security threats
Although insider threats have been a concern in cybersecurity for years, the cost of these threats is an increasingly alarming issue, and as often as not, the leading cause is poor data hygiene, says Larry Ponemon, chairman and founder of the Ponemon Institute.
Insider threats occur when employees intentionally or unintentionally misuse access to confidential information that compromises the safety of a company’s information systems.
The total average cost among 3,269 insider threats over the past year was $8.76 million, according to a new report for which the Ponemon Institute interviewed 717 IT and IT security practitioners in 159 organizations in North America, Europe, the Middle East, Africa and Asia-Pacific. The firm completed the interviews in January 2018.
“Employees are not doing some basic things to create a more secure environment, and it puts a real cost on the organizations they serve,” Ponemon explains. “And it's not maliciously deliberate; it's because of poor hygiene that translates into very large costs.”
Large organizations paid a steeper price for the insider threats due to the complexity of their organizations compared with smaller companies. Resolving insider-related incidents cost large organizations an average of $20 million over the last year compared with an average of $1.8 million for smaller companies, according to the report.
“The larger the organization, the more complexity, and when you have complexity, bad guys see more opportunities to take advantage of the organization,” Ponemon says.
Credentialed, negligent and criminal insiders: Who is more to blame?
The report cited credential risk as the costliest type of insider incident with an average of $648,846 per event compared with $607,745 for criminal and malicious insider risk and $283,281 per incident for employee or contractor negligence.
Credentialed insider threats are particularly difficult to detect, Ponemon notes.
“When someone steals valid credentials, if you don't have the right tools, security tools, you're basically not going to know whether that's authentic or whether it's a bad guy that just has honest, legitimate credentials,” Ponemon says.
In the report, 64 percent of the insider threats were due to negligent insiders compared with 23 percent of incidents caused by criminal and malicious insiders and 13 percent of attacks due to credentialed insiders.
Causes of negligence among insiders include employees being sloppy about changing passwords or inadvertently exposing data on their computer while leaving their screen exposed when they walk around the office. Keeping generic passwords also leaves companies vulnerable to data theft. And when in a coffee shop, employees need to take steps to use a secure VPN, or a mobile hotspot device, rather than public Wi-Fi, Ponemon says.
“Normally it starts with a careless employee who is not actually taking the right steps to create a more secure environment,” Ponemon says. “It’s not malicious or deliberate. They basically find things that they prefer for efficiency, convenience, or they're really under pressure and they can't stop and take that extra 15 minutes a day to make sure that they’re following the requirements for security and privacy in the company. That's the profile of the negligent insider.”
How to guard against insider threats
Companies need to keep their insider threat strategies transparent, according to Christy Wyatt, CEO at Dtex Systems, which offers an intelligence platform to combat insider threats.
“There needs to be assurances that internal leadership won’t use collected data to abuse power,” she says.
Meanwhile, Mike McKee, CEO of ObserveIT, the insider threat management software company that sponsored the report, recommends a “holistic” approach to fighting insider threats.
“Understanding the growing costs and time associated with preventing and managing insider threats, organizations need to invest in a holistic cybersecurity solution to assist with real-time detection, deterrence, education and prevention,” he says.
Another strategy is to develop an insider threat playbook, according to McKee.
“This playbook should include people representing a cross-section of the organization: IT ops, IT security, legal, HR, risk/compliance and executive representation, as well as strong supporting technologies,” McKee says.
Going forward, intelligence technology such as automation, artificial intelligence and machine learning can play a part in combating insider threats, according to Ponemon.