Nearly half of companies surveyed find it impossible or very difficult to prevent an insider attack at its earliest stage, while less than a third believe their organizations are very or highly effective in preventing leaks of sensitive information.
The State of Insider Threats 2021 Report was released by the Ponemon Institute, an independent research and education entity, and DTEX Systems, a cybersecurity and intelligence company. Taking about 14 weeks to complete, the study spoke with nearly 1,250 IT and IT security professionals in North America, Western Europe and Australia/New Zealand who worked with companies of various sizes.
Rajan Koo, chief customer officer for DTEX, said companies struggle with balancing a respect for employees privacy while also being able to identify when they may be stealing intellectual property. The research, he said, was conducted to discover the gap between the implementation of security technology that may infringe upon privacy versus the need for organizations to respect that privacy and how this affects security of the organization.
“The folks who do IT security or cybersecurity are basically focused on the external threat — the typical bad guy that hacks into your system and basically holds you hostage with ransomware and the like,” said Dr. Larry Ponemon, author of the report. “But there are a lot of issues of companies dealing with people, who are within the organization either as an employee or contractor, and therefore having a lot of access to systems and technologies and these organizations are sometimes ill-prepared to deal with an employee or contractor that is basically a bad guy or malicious or angry or frustrated.”
DTEX released its own insider threat report last year noting a 450 percent increase in employees circumventing security controls to intentionally mask online activities and a 230 percent increase in behaviors indicative of stealing data.
Koo said these high numbers were mostly due to the transition of employees ordered to work from home due to the COVID-19 pandemic. Many companies did not have systems in place at first when the stay-at-home orders were first issued in March 2020. The company will be releasing another study later this year where some of these numbers have gone down as more organizations are implementing security controls.
For the 2021 report, about 15 percent of organizations said that no one has ultimate authority and responsibility for controlling and mitigating workforce risks. There are five steps during an insider threat — reconnaissance, circumvention, aggregation, obfuscation and exfiltration. The third step, aggregation, received the highest number, 53 percent, for companies noting it is impossible or very difficult to detect and prevent an attack during this stage.
The report notes the importance of studying the entire threat chain to discover the user’s intent, whether the breach was accidental or calculated or whether the insider’s credentials were stolen.
Ponemon said he was surprised by his findings. “The state of insider threat security is right now for many organizations a big problem,” he said.
Koo was taken aback by the findings as well. “From our industry, we try to help organizations become more proactive rather than reactive, but it was definitely surprising how many organizations are struggling out there,” he said.
The pandemic played a large role in the study’s findings, according to Ponemon. He said the virus caused hackers to think of new, innovative ways to capture data and home offices are sometimes not as secure and sophisticated as in-office ones.
The largest mistakes made by companies, according to Ponemon, is not training employees at every level and not having people on their staff that can help navigate a threat.
For companies looking at the report, Ponemon said he hopes staff know insider threats are an issue and steps needs to be taken to monitor and understand where there are vulnerabilities.
“Training and awareness become very important,” he said. “Creating a culture for security means you deal with outside problems like advisories that are attacking externally as well as insider problems. Having a more holistic approach to security can be very, very important.”
The big lesson Koo hopes companies take from this report is security doesn’t have to come at a cost of privacy. “It is that false dichotomy,” he said. “You can find a balance between both, and if you are respecting your employee’s privacy and you are looking earlier on during those (chain) behaviors, you can achieve both.”