Posted on by Insider Threatin
Hello, my name is Joji Montelibano, and I work in the CERT Insider Threat Center. When members of our team give presentations, conduct assessments, or teach courses, one of the most common questions is, "Just how bad is the insider threat?" According to the 2010 CyberSecurity Watch Survey, sponsored by CSO Magazine, the United States Secret Service (USSS), CERT, and Deloitte, the mean monetary value of losses due to cyber crime was $394,700 among the organizations that experienced a security event. Note that this figure accounts for all types of security incidents, including both insiders and outsiders. What is especially concerning is that 67% of respondents stated that insider breaches are more costly than outsider breaches.
This dollar figure does not fully account for the damages caused by insiders, though. For instance, activities such as website defacement and exposure of private email correspondence may not involve expensive remediation, but they would still cause a great deal of harm to the victim organization. How valuable is your reputation? How much does your website represent you? If you are an e-commerce company that assures its customers that they will have secure transactions, imagine the damage to your business if your website gets compromised.
Another common question we often receive is, "How many insider attacks take place annually?" This is a much more difficult question to answer. Consider that in the same survey, among 523 respondents, 51% of those who experienced a security incident also experienced an insider attack. The problem with approximating a total number of insider attacks is that, in our experience, a large number of these attacks go unreported. In fact, according to the survey, "the public may not be aware of the number of incidents because almost three-quarters (72%), on average, of the insider incidents are handled internally without legal action or the involvement of law enforcement." There are a variety of reasons why companies choose not to report insider cases; in particular, lack of evidence to prosecute, damage levels that were insufficient to warrant prosecution, inability to identify the perpetrator, and fear of public embarrassment. However, even this does not tell the full story. Based on our research and collaboration with other industry leaders, we believe that most insider crimes go unreported not because they are handled internally, but because they are never discovered in the first place.
These statistics are rather gloomy for those who defend organizations against insider threat. But the CERT Insider Threat Center has made great progress in identifying patterns of insider crimes, allowing organizations to anticipate and/or detect malicious insider activity before it causes great damage. I have received several stories from attendees in our workshops who have successfully applied recommendations described in our Best Practices Guide to prevent malicious insider activity. So there is hope.
If you have direct experience with insider threat, you can aid our research greatly by sharing your own experiences. Doing so will enrich our data and better inform our methodology, which will in turn be made available to the public in the hopes of improving each organization's defenses. Simply email firstname.lastname@example.org.
The 2011 CyberSecurity Watch Survey will be coming out soon with updated statistics, so check our website regularly for its release.