Another report comes out that says insiders are a huge problem. You have to worry about the people, people. We have been saying this for years. The lastest news on that front is in the 2020 Cost Of Insider Threats Global Report released by the Ponemon Institute and sponsored by ObserveIT and IBM. It does tell us a lot of things we already knew but the details including those about how it is growing are important to note.
As always, we can count on the Ponemon folks to do a great job in capturing and analyzing data. This report includes 964 interviews with leaders from 204 companies, 48% is in North America. They found these organizations had experienced 4,716 over the previous 12 months and the interviews ended in September 2019.
Insider threats in the report are defined as:
- A careless or negligent employee or contractor
- A criminal or malicious insider or
- A credential thief
Let’s try on a few of these numbers….
In the last two years insider incidents have increased 47% from 3200 in the 2018 study to 4700 in this one. Yes, that is a lot. Of those incidents 62% were due to insider negligence. Just not paying attention and making mistakes. Criminal or malicious insiders are the ones you really hate to deal with accounted for 23% leaving 14% attributed to the criminals that steal insider credentials in order to act (that doesn’t mean they don’t do that from one of the other two categories, IMHO).
The cost of insider issues
When evaluating costs to deal with these issues it sort of goes in reverse, though.
Here are some of the highlights from the exec summary:
- It takes an average of more than two months to contain an insider incident.
- To deal with the consequences of an insider incident, smaller-sized organizations (those with a headcount below 500) spent an average of $7.68 million annually. The larger ones spent more than double that $17.92 million.
- All types of threat of insider risks are increasing.
- To put it into perspective, what was 62% of the total 4716 incidents they gave us a chart. The big doughnut is impressive showing 2962 of the cases involved insider negligence. That is almost as many as all the cases in the last report in 2018.
But wait, there’s more… (I know but it is there in my head)
Insider issues continue to grow not decline
The number of events each company deals with is increasing not just some folks are having more. Everyone is having more. The only areas that went down were the number of companies with 1-10 and 11-20 incidents in the year. Those went down a total of 5% while the number 21-30, 31-40, and more than 40 rose a total of 7%. I know I love numbers but clearly it is not getting better it is only getting much worse.
As they told us upfront all three types are getting worse.
It looks even worse if they break out just the North American numbers. We are definitely the leaders here.
A big part of the problem is the time it takes to figure out you have the insider issues. Under 30 days is only 14% of the cases.
When to know you are risk
This was one of the best lists in the whole thing. If only we could get people to read it and think about their organizations honestly. Hmmm how to get that done added to the to do list.
Five signs that your organization is at risk
1. Employees are not trained to fully understand and apply laws, mandates, or regulatory requirements related to their work and that affect the organization’s security.
2. Employees are unaware of the steps they should take at all times to ensure that the devices they use—both company issued and BYOD—are secured at all times.
3. Employees are sending highly confidential data to an unsecured location in the cloud, exposing the organization to risk.
4. Employees break your organization’s security policies to simplify tasks.
5. Employees expose your organization to risk if they do not keep devices and services patched and upgraded to the latest versions at all times.
They did include a list showing the costs savings if you did some preventative or mitigating activities.
Smaller companies should be able to address several of these options. Privileged access management alone is a great start. I think we mentioned user training and awareness a few thousand times. Strict third-party vetting procedures is a very interesting one to see on the list. Of course, having a real incident response plan. Unfortunately, employee monitoring and surveillance is one that has to become a regular item on the list of mitigations for small businesses sooner rather than later.
No matter how we look at this topic the answers are not changing but the problems are growing. As the conclusion of this report points out there are three basic defenses that must be addressed. People, processes, and technology. None of them will be sufficient on their own.