Only 49% of companies have a plan to address and respond to insider security threats — even though 32% of the same companies agree that crimes perpetrated by insiders are more costly and damaging than those committed by outsiders. These are just some of compelling statistics revealed in the 2014 U.S. State of Cybercrime Survey, a joint effort of Pricewaterhouse Coopers (PwC), the Software Engineering Institute at Carnegie Mellon University, CSO magazine, and the U.S. Secret Service.
This survey of more than 500 executives from U.S. businesses, law enforcement services, and government agencies covers a range of cyber security topics, but the information related to insider incidents is particularly intriguing. Though 28% of respondents said insiders — which the survey defines as current or former employees, service providers, authorized users of internal systems, and contractors — were a source of their security events, the survey noted that many of these incidents tend to “fly under the media radar.” While that’s not hard to understand given the high-profile companies that keep finding themselves in the spotlight, lack of public exposure is likely also tied to a “mum’s the word” attitude about insider security incidents. After all, a full 75% of survey participants said they handle these events internally, with no legal or law enforcement involvement.
Battling Malicious Insider Threats
The desire to keep these insider events close to the vest does not make them any less real or any less dangerous. Though some internal security breaches are of an accidental nature (lost devices, for example), many are intentional. The PwC survey states that 16% of insider security incidents were committed for financial gain. This is an aim that, though unacceptable, is understandable. More worrisome are those attacks that are perpetrated out of curiosity (12%) and for excitement (6%).
So, how to combat insider threats? A recent article by Bloomberg Businessweek makes the case that poor morale — and poor pay — breed cyber security risks. And the PwC survey indicates that smaller companies are at greater risk than large organizations. However, regardless of company size and employee motivations, there are fairly basic safeguards companies can use to guard against these kinds of attacks:
- Know the warning signs – Only 48% of those who responded to the PwC survey said they perform employee and contractor background checks. As well, many participants said that insider incidents came with warning signs, with individuals displaying actions like IT policy violations, disruptive behavior, and poor performance reviews. Information learned through these channels is useful for assessing and monitoring risk should not be brushed aside.
- Be smart about granting access to third parties – These days, business needs to be about more than a handshake agreement. It’s critical that companies evaluate third parties’ cyber security practices prior to launching business operations. As well, contracts with external suppliers, vendors, and service providers should have clearly defined security provisions. (Interestingly, well over 50% of PwC survey respondents fail to do these things.)
- Shore up the supply chain – Data and information is often freely shared with supply chain partners. Unfortunately, organizations rarely ask these partners to follow privacy and security policies. With regard to the PwC survey, only 27% of participants conduct incident-response planning with supply chain partners. A lowly 8% have supply chain risk-management capabilities.
Education Can Prevent Insider Mistakes
As stated above, not all insider security breaches are the result of intentional, malicious employee actions. But you can’t plan for mistakes, right? Wrong. As is stated in the PwC survey:
Many insider incidents result from employee vulnerabilities such as social engineering and loss of devices — risks that could very well be mitigated by employee training.
According to the survey, training can significantly reduce costs related to security incidents — to the tune of 76%. Organizations without security awareness programs (and, specifically, new employee training) reported average annual financial losses of $683,000. Those with training totaled just $162,000 in average financial losses.
So, while organizations may not be able to mitigate every threat, there are some relatively simple answers to insider security events. Implementing a security training program is a great first step — and an excellent way to engage your employees and bring risk reduction to every desktop. Raising awareness and providing education about best practices can empower your employees and help them recognize inappropriate behaviors by business partners, vendors, and even coworkers. Knowledgeable employees can be effective advocates for better behaviors in the workplace and beyond.
Wombat Security's awareness and training methodology can help your employees recognize and respond to security threats in the workplace and beyond.