As featured in DisrputiveViews
A recent survey of IT security professionals regarding their experiences preventing and detecting insider threats within their organizations revealed some interesting and rather frightening results. Almost 75% were concerned primarily with employees, whether malicious or merely negligent, 44% of respondents said they don’t know how much they currently spend on solutions that mitigate insider threats and 45% don’t know how much they plan to spend on insider threat technology in the next 12 months.
Although organizations know insider attacks pose a salient threat, spending on insider threat defenses falls short. Without a comprehensive understanding of what they are spending to prevent the problem, it is likely that organizations also will not know what insider threat defenses they lack or where they can invest further to fill in security gaps and bolster protection against a potential insider attack.
The survey, “Insider threats and the need for a fast and directed response,” was sponsored by SpectorSoft and conducted by the SANS Institute between December 2014 and January 2015. A total of 772 IT security professionals representing a broad spectrum of industries, including the technology, government, financial, education and healthcare sectors, as well as organizations of all sizes, completed the questionnaire on their insider threat awareness and posture.
Overall, survey results indicate that most organizations have gaping security holes when it comes to protecting themselves against insider threats. In fact, 32% have no ability to prevent an insider attack, putting themselves at severe risk for significant data loss as well as for damage to their brand and reputation. And they know it’s a serious priority – almost all respondents say they’re concerned that their own insiders could be detrimental to their organization. Despite this, organizations are failing to take the required steps to remedy the problem – 52% of respondents cannot size the potential damage, while 44% do not know what they are spending to address the threat.
Insider threat awareness growing but action lacking
For more organizations, insider threats are on the radar. The vast majority of respondents admitted that they are concerned that their own insiders – including both negligent and malicious employees – could be detrimental to their organization. However, many have repeatedly failed to take the necessary steps to prevent an attack – a disconnect that creates a wide-open playing field for malicious insiders.
Also contributing to this problem is that more than 52% of survey respondents said they don’t know what their losses might amount to – and what it would be worth should it become publicly exposed or fall into the wrong hands. Without a tangible numerical value of their organization’s critical information, CIOs might not fully understand the security risks associated with that data or what kind of insider breach detection and mitigation technologies are required to prevent a potential attack.
Causes behind these security gaps are numerous, with respondents citing lack of training, lack of budget and lack of internal staff as the three most significant reasons for lack of insider threat defenses. However, in addition to budget and staffing woes, 28% of all respondents claim that insider threat detection and prevention is not even a priority in their organizations.
Incident response plans gaining traction but insider threats not a priority
As awareness of data loss gains momentum, more organizations are starting to understand the importance of incident response plans, with 69% of respondents maintaining that they currently have one in place. However, of those companies, more than half (35% of all respondents) say their plan doesn’t incorporate special provisions for insider threats. Ultimately, that means 66% of respondents either do not have an insider response plan or have no incident response plan at all.
Also, despite gaping security holes in insider threat infrastructure, two-thirds (66%) of survey respondents claim they have never experienced an insider attack – a finding that has multiple implications. For one, it indicates that insider threats are challenging to detect. The 34% of respondents that admitted to having an insider breach are likely the tip of the iceberg. Without dedicated technologies and focus to address the problem, these attacks will likely continue to fly under the radar.
The fact that two-thirds of respondents say they have not been attacked also underscores significant awareness gaps; survey data revealed that numerous companies do not make insider threats a priority, often do not have the resources or infrastructure to deter or prevent an insider attack, and have no idea how much they spend on insider threat prevention solutions, either now or in the future.