Preventing and detecting insider threats

SANS surveyed 772 IT security professionals regarding their experiences preventing and detecting insider threats within their organizations.

Although 74 percent are concerned primarily with employees, whether malicious or merely negligent, 44 percent of respondents said they don’t know how much they currently spend on solutions that mitigate insider threats and 45 percent don’t know how much they plan to spend on insider threat technology in the next 12 months.

Organizations know insider attacks pose a salient threat, but spending on insider threat defenses falls short. Without a comprehensive understanding of what they are spending to prevent the problem, it is likely that organizations also will not know what insider threat defenses they lack or where they can invest further to fill in security gaps and bolster protection against a potential insider attack.

Overall, survey results indicate that most organizations have gaping security holes when it comes to protecting themselves against insider threats. In fact, 32 percent have no ability to prevent an insider attack, putting themselves at severe risk for significant data loss as well as for damage to their brand and reputation. And they know it’s a serious priority – almost all respondents say they’re concerned that their own insiders could be detrimental to their organization.

Despite this, organizations are failing to take the required steps to remedy the problem – 52 percent of respondents cannot size the potential damage, while 44 percent do not know what they are spending to address the threat.

For more organizations, insider threats are on the radar. The vast majority of respondents admitted that they are concerned that their own insiders – including both negligent and malicious employees – could be detrimental to their organization. However, many have repeatedly failed to take the necessary steps to prevent an attack – a disconnect that creates a wide-open playing field for malicious insiders.

More than 52 percent of survey respondents said they don’t know what their losses might amount to – and what it would be worth should it become publicly exposed or fall into the wrong hands. Without a tangible numerical value of their organization’s critical information, CIOs might not fully understand the security risks associated with that data or what kind of insider breach detection and mitigation technologies are required to prevent a potential attack.

Causes behind these security gaps are numerous, with respondents citing lack of training, lack of budget and lack of internal staff as the three most significant reasons for lack of insider threat defenses.
However, in addition to budget and staffing woes, 28 percent of all respondents claim that insider threat detection and prevention is not even a priority in their organizations.

As awareness of data loss gains momentum, more organizations are starting to understand the importance of incident response plans, with 69 percent of respondents maintaining that they currently have one in place. However, of those companies, more than half (35 percent of all respondents) say their plan doesn’t incorporate special provisions for insider threats. Ultimately, that means 66 percent of respondents either do not have an insider response plan or have no incident response plan at all.

Also, despite gaping security holes in insider threat infrastructure, two-thirds (66 percent) of survey respondents claim they have never experienced an insider attack – a finding that has multiple implications. For one, it indicates that insider threats are challenging to detect. The 34 percent of respondents that admitted to having an insider breach are likely the tip of the iceberg. Without dedicated technologies and focus to address the problem, these attacks will likely continue to fly under the radar.

The fact that two-thirds of respondents say they have not been attacked also underscores significant awareness gaps; survey data revealed that numerous companies do not make insider threats a priority, often do not have the resources or infrastructure to deter or prevent an insider attack, and have no idea how much they spend on insider threat prevention solutions, either now or in the future.