In the second post of this series, we looked at basic definitions of insider threat incidents and their impact on organizations. Now, let’s have a closer look at how malicious insider threat actions affect companies in the United States, and how companies can respond to these threats.
From the most recent consolidated data available on this subject, over 50% of organizations report having encountered an insider cyberattack in 2012, with insider threat cases making up roughly 23% of all cybercrime incidents. This percentage has stayed consistent over the prior couple of years, but the total number of attacks has increased significantly.
The result is $2.9 trillion in employee fraud losses globally per year, with $40 billion in losses due to employee theft and fraud in the US in 2012 alone. The damage and negative impact caused by insider threat incidents is reported to be higher than that of outsider or other cybercrime incidents.
Interestingly, in contrast to outsider attacks on networks, insider cyberattacks are under-reported. Only a few cases make it into public media or are even known to insider threat experts. Reasons for such under-reporting are insufficient damage or evidence to warrant prosecution, and concerns about negative publicity. The risk of revealing confidential data and business processes during investigations may be another reason why many companies don’t report and prosecute insider threat incidents.
The risk factors companies face from insider threats
The days when most employees spent their working years at just one company are definitely over. Approximately 90 percent of millennials expect to stay in a job for less than three years, which implies that they would have 15-20 different jobs in their lifetime. Frequent job-hopping may result in decreased employee loyalty to an employer, and higher churn rates introduce a real risk of intellectual property and confidential information theft.
Half of all office workers will take some data with them when they switch jobs. In addition to the higher likelihood of data exfiltration, the actual theft of data has also become much easier. Generally mobile workforces, aided by BYOD policies, are able to work from home and access company data when on the road.
However, what started as a tool to improve work productivity and employee work-life balance has become a threat to company cybersecurity. Besides infecting the company network with malware, personal devices facilitate copying of company data. When an employee decides to quit, copies of company data often stay on these devices, which means data loss often happens without detectable exfiltration.
In a recent insider threat case, former DuPont engineer Michael Mitchell kept numerous DuPont computer files containing sensitive and proprietary information on his home computer during his tenure with the company. After his termination, these files remained on his home computer without being detected. As Mitchell entered into consulting agreements with a Korean competitor, he supplied them with the data, resulting in millions of dollars in losses to DuPont.
In addition to the problems raised by changing work practices, a recent survey reports that 55 percent of companies indicate that they lack training and 51 percent indicate that they lack budget to respond to insider threats. Many recent cases, including the Mitchell case, could have been prevented or at least limited with prompt response times and up-to-date company policies.
How companies should respond to the insider threat
The first step of an appropriate response to an insider threat is to raise awareness of the problem. While many would prefer to believe that malicious insider threat incidents are limited to a set of particular government agencies, the insider threat is real and can happen anywhere in the industry. An internal insider threat program can help and is a good starting point. Technology alone will not solve the problem.
The responsibilities for detection, intervention and prevention of insider threats are typically shared among the information security, legal and human resources (HR) departments of a company. A clear definition of action items and accountabilities is crucial to the implementation of an effective insider threat program.
An important question to answer is “if an insider wanted to harm your company, what would be targeted and what damage could be done?” Define the critical assets that must be protected, as well as your organization’s tolerance for loss or damage if they are leaked. Then, in order to prevent such a threat, ask yourself what kind of behavioral precursors could be observed and caught across company departments before critical assets are harmed.
Examples of such precursors include misuse of computing resources, such as a high volume of downloads or printouts, HR reports of hostile workplace behaviors, or information about ongoing legal investigations against employees. Most importantly, make sure you are able to connect the dots by correlating precursors from different departments to gain insights into trends regarding the highest risks to your organization.