Bethesda, Md. – Information security staffs are so single-minded about defending their organizations from external attack that they all but ignore a threat with vastly greater potential for damage, according to anew survey to be released by SANS Institute on August 1.
As security protecting organizations from outside attack gets more formidable, attackers look for easier targets — users who already have access to an organization's most sensitive data, for example, and aren't as hard to fool as security systems.
"While deliberate/malicious insider are always a concern, what many organizations fail to realize is that an external attack will often target a legitimate insider and trick them into causing harm," according to SANS instructor and survey report author Eric Cole, PhD. "This accidental/unintentional insider could be used as an avenue by the adversary to walk out with an organization's most sensitive data without fanfare or drama, and few organizations would be able to even know it had happened."
While these attacks are devastating, few organizations seem to realize that even when the origin of an attack is external, the ultimate entry point for the attacker was an insider who was tricked or manipulated to causing harm. Survey respondents understand the risk. When asked to rank attackers according to the amount of damage they could do, only 23% of respondents said attackers from outside would do the most damage; 36% said the worst breaches would come from unintentional insiders and 40% said malicious insiders would cause the greatest damage.
Few seemed to have any idea how much damage was involved, however. Forty-five percent of respondents said the cost of a potential loss was "Unknown," while 33% said they had no specific estimate of cost.
That seems surprising, but few organizations reported having insider-detection programs thorough enough to reliably detect insider threats, according to Cole. That same lack of visibility would make it difficult to identify the scope of a potential insider attack or estimate the cost of recovering from it.
Data showing 62% of respondents have never experienced an insider attack probably also indicate low visibility, but not low risk, according to Cole. Thirty-eight percent of respondents said the systems and methods they use to monitor insider activity are ineffective, which makes it even less likely that they could identify an insider attack in progress.
Inability to see is one thing; reluctance to prepare is another. Only 18% of respondents said they have formal incident-response plans that include potential insider attacks, though 49% said they are developing such a plan; 31% of respondents said they have no formal program in place or preparations to deal with threats from insiders.
"Malicious insiders have always been a threat, but the risk is increasing from 'unintentional' insiders that are tricked into giving their login information to callers from fake help desks or clicking on attachments that release password-stealing malware," according to Cole. "Every organization is only one click away from a potential compromise."
Eric Cole will discuss the full results of the survey and his analysis in a webcast August 1 at 1 PM EDT, sponsored by Dtex Systems, Haystax Technology and Rapid7, and hosted by SANS. Register to attend the webcast at www.sans.org/webcasts/103917
Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and insider threat expert, Eric Cole, PhD
Insider threats: harder to spot, far more damaging than external attacks | Explore how to protect your organization. | www.sans.org/webcasts/103917
SANS Survey finds few defenses against insider threat. | Aug. 1 | Register to attend: www.sans.org/webcasts/103917
How ready is your organization to combat insider threats? | SANS Insider Threat Survey webcast Aug. 1 | Register at www.sans.org/webcasts/103917
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (https://www.sans.org)