SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

2016 U.S. State of Cybercrime Highlights

Posted on by

Each year, the CERT Division of the SEI collaborates with CSO Magazine to develop a State of Cybercrime report. These reports are based on surveys of approximately 400 organizations across the country, ranging in size from less than 100 employees to over 10,000.

Each organization self-reports on information security issues that have impacted them in the past calendar year. The 2016 report covers activity that occurred in 2015. In this blog post, we share some of the findings from our upcoming report as they relate to insider threats.

Thirty-percent of all respondents reported that incidents caused by insider attacks were more costly or damaging than outsider attacks.

When excluding participants unsure of the costs of incidents, nearly half (47%) of survey respondents felt that electronic crimes perpetrated by insiders were more costly. According to the responding organizations, insiders were the source (or cause) of the following:

  • 50% of incidents where private or sensitive information was unintentionally exposed
  • 40% of incidents where employee records were compromised or stolen
  • 33% of incidents where customer records were compromised or stolen
  • 32% of incidents where confidential records (i.e., trade secrets or intellectual property) were compromised or stolen

Considering the access that insiders may have to an organization's most prized information assets and the nature of the incidents committed by insiders, it is not surprising that nearly one in three organizations found insider incidents to be most damaging.

Nearly half of participants experienced an insider incident.

Forty-seven percent of survey participants reported that an insider incident was committed against their organization. Furthermore, the respondents stated that more than one in four of the attacks against their organization were committed by insiders (27%). In other words, hacks still outnumber insider incidents, but insider incidents are still prevalent.

This rate of insider incidents has been relatively consistent over the past 11 years, as shown in the following graph.

Despite the prevalence and persistence of insider incidents, less than half (49%) of organizations reported having a formal plan for responding to insider security events committed against them. Additionally, 11% of organizations did not have a response mechanism for insider security events. Overall, the data collected affirms that the insider threat problem is not going away.

Incident response strategies in 2015 remained consistent with those used in 2014.

As the previous chart demonstrated, one of the benefits of conducting an annual survey is the ability to note changes, or a lack thereof, over time. In the next table, note the consistency of the strategies used to respond to insider intrusions in 2014 and 2015.

how-insider-intrusions-are-handled.PNG

Note: Percentages are rounded up to the nearest percent. The years refer to the calendar year in question, not the year of the report.

While there was a slight increase in handling insider incidents externally, organizations still tend to resolve issues 'in-house'. Though this may reduce the visibility of any one insider threat incident, it may also serve to obfuscate the insider threat problem. It is interesting to note that both the response strategies and rationale for handling incidents internally have not changed.

In the following table, note how the perceptions of insider incidents have remained consistent over the past four years as well.

reasons-incidents-were-not-referred.PNG

Nearly a third (31%) of organizations responding to the survey indicated that they could not identify the individual(s) behind an incident; a quarter said that they did not have enough information to take legal action. This further underscores the need for robust technical controls and reporting mechanisms.

While technology and policy changes in an organization may not be able to change the socio-political ramifications of identifying and responding to an insider incident, they can address discovery and identification of the insider.

If you are interested in State of Cybercrime reports from years past, you can find them in the SEI Digital Library.

More from Sarah Miller

Posts


View other blog posts by Sarah Miller.