Each year, the CERT Division of the SEI collaborates with CSO Magazine to develop a State of Cybercrime report. These reports are based on surveys of approximately 400 organizations across the country, ranging in size from less than 100 employees to over 10,000.

Each organization self-reports on information security issues that have impacted them in the past calendar year. The 2016 report covers activity that occurred in 2015. In this blog post, we share some of the findings from our upcoming report as they relate to insider threats.

When excluding participants unsure of the costs of incidents, nearly half (47%) of survey respondents felt that electronic crimes perpetrated by insiders were more costly. According to the responding organizations, insiders were the source (or cause) of the following:

• 50% of incidents where private or sensitive information was unintentionally exposed
• 40% of incidents where employee records were compromised or stolen
• 33% of incidents where customer records were compromised or stolen
• 32% of incidents where confidential records (i.e., trade secrets or intellectual property) were compromised or stolen

Considering the access that insiders may have to an organization's most prized information assets and the nature of the incidents committed by insiders, it is not surprising that nearly one in three organizations found insider incidents to be most damaging.

Forty-seven percent of survey participants reported that an insider incident was committed against their organization. Furthermore, the respondents stated that more than one in four of the attacks against their organization were committed by insiders (27%). In other words, hacks still outnumber insider incidents, but insider incidents are still prevalent.

This rate of insider incidents has been relatively consistent over the past 11 years, as shown in the following graph.

Despite the prevalence and persistence of insider incidents, less than half (49%) of organizations reported having a formal plan for responding to insider security events committed against them. Additionally, 11% of organizations did not have a response mechanism for insider security events. Overall, the data collected affirms that the insider threat problem is not going away.

As the previous chart demonstrated, one of the benefits of conducting an annual survey is the ability to note changes, or a lack thereof, over time. In the next table, note the consistency of the strategies used to respond to insider intrusions in 2014 and 2015.

Note: Percentages are rounded up to the nearest percent. The years refer to the calendar year in question, not the year of the report.

While there was a slight increase in handling insider incidents externally, organizations still tend to resolve issues 'in-house'. Though this may reduce the visibility of any one insider threat incident, it may also serve to obfuscate the insider threat problem. It is interesting to note that both the response strategies and rationale for handling incidents internally have not changed.

In the following table, note how the perceptions of insider incidents have remained consistent over the past four years as well.

Nearly a third (31%) of organizations responding to the survey indicated that they could not identify the individual(s) behind an incident; a quarter said that they did not have enough information to take legal action. This further underscores the need for robust technical controls and reporting mechanisms.

While technology and policy changes in an organization may not be able to change the socio-political ramifications of identifying and responding to an insider incident, they can address discovery and identification of the insider.

If you are interested in State of Cybercrime reports from years past, you can find them in the SEI Digital Library.