Skip to content ↓ | Skip to navigation ↓

The recent IBM 2019 Cost of Data Breach survey found that the cost of a data breach had risen 12% over the past 5 years to $3.92 million on average. While 51% of the data breach attacks were attributed to malicious or criminal actors, a stunning 24% of the breaches were caused by negligent employees or contractors. The report also notesed that the 51% of the criminal actors included, “malware infections, criminal insiders, phishing/social engineering and SQL injection.”

The aforementioned statistics highlight the importance of the insider threat. Insider threat via a company’s own employees (and contractors and vendors) is one of the largest unsolved issues in cybersecurity. Insider threats were present in 50 percent of breaches reported in a recent study.

For the purposes of this discussion, let’s define insider threat as “the cyber risk posed to an organization due to the behavior of its employees.” Inside threats arise from two kinds of employees: those who are negligent and those with malicious intent. Malicious insiders are those who purposefully seek to benefit themselves at the organization’s expense or to harm the organization directly. They might steal valuable data, commit fraud for financial gain, publicly expose sensitive information to attract attention or sabotage IT systems in disgruntlement. On the other hand, negligent or error-prone insiders may not harm an organization intentionally but expose the organization to risk through their mistakes or carelessness.

“The most dangerous aspect of insider threats is the fact that the access and activities are coming from trusted systems, and thus will fly below the radar of many detection technologies,” wrote Kim Crawley in a recent blog.

Tim Erlin, VP of product management and strategy at Tripwire, agrees.

Internal breaches often can go undetected and are sometimes not reported by companies when they occur [because] organizations are understandably reticent to share the details of what they perceive as an embarrassing incident.

Insider attacks can be a sort of a “perfect crime” due to the fact that insiders have a key advantage over outsiders: they work for their company. Erlin says that, “With insider attacks, success is mostly attributable to the fact they have authorized access to the systems and resources they’re trying to attack. An outsider has to go through multiple steps just to gain the access the insider already has to begin with. Each of those steps is another chance for an attacker to be discovered, thwarted and potentially caught. An insider starts with an advantage.”

In a sense, an insider attack can be more dangerous than an outsider one.

An additional advantage insiders have is that organizations tend to protect themselves only from external threats, and they often neglect to monitor the activity of authorized users. But we will come to this in a while.

Root Causes of Insider Threats

A recent Insider Data Breach survey by Egress highlighted the intent behind insider breaches with a specific look at how employees and executives view this increasing threat.

When it comes to the causes of data breaches, both malicious and accidental, executives believed they’re primarily caused unintentionally by employees rushing and making mistakes (60%). A general lack of awareness was the second leading cause (44%), while 36% believed that a lack of training on the security tools a company uses was the primary driver. In addition, another 27% said that the lack of proper security tools in place was a factor of concern.

Nevertheless, 30% believed that internal data breaches result from employees leaking data to harm the organization, while 28% asserted that employees tend to steal data for financial gain.

Insider Threats 1

While 58% of the executives believe that there is a malevolent intent behind data breaches, 94% of U.S. employees and 87% of U.K. employees claimed they have not intentionally broken company data sharing policies. Similarly, 95% of U.S. and 90% of U.K. employees believe they have never accidentally caused a data breach. Obviously, these results showed a significant disconnect between the IT leader and employee perspectives of insider data breaches.

One of the most worrying reasons behind this gap revolved around data ownership: one-in-five respondents felt that the data belonged to them. As a consequence, those individuals therefore they had the right to share it as they wished. Underlining this concerning evidence, the report found that only 40% of respondents agreed that data was exclusively owned by the organization and not by individuals.

Overall, this finding may help shed light on why IT leaders think employees are putting data at risk more than employees think they do: employees do not view company data ownership with the same perspective as IT leaders. Therefore, they simply don’t see the associated risks. They may not even believe that they have done anything wrong in sharing data insecurely.

This highlights that user education around data ownership should be a priority for organizations. Employee responsibility for the protection of companies’ intellectual property must be made clear through policies and awareness training programs.

On the other hand, accidents do happen. And they happen at an increasing frequency because the explosive growth of unstructured data in email, messaging apps and collaboration platforms has made it incredibly simple to share information. As a result, it is easier for employees to accidentally share company information in a manner that does not conform to corporate or regulatory policy.

In accordance with the Egress report, 45% of employees who accidentally shared information sent it to the wrong person, while over one-third shared information which they were unaware shouldn’t be shared (35%). In addition, employees who have accidentally shared information also put data at risk by exhibiting poor security practices: 27% clicked on a phishing link, while 12% responded to a spear-phishing email and shared data.

Insider threats 2

The Insider Data Breach survey also looked into the mentality behind the accidental breaches. According to the survey, 48% of employees believed they caused an accidental data breach by “rushing,” while another 30% blamed a high-pressure work environment. Finally, 29% claimed they did it because they were tired.

The Egress survey concludes that at the heart of the problem is the growth of unstructured data – the data that employees use and interact with to do their jobs. Compounding this issue is the explosion of data sharing tools that employees use both inside and outside of corporate perimeters and the fact that employees do not place the same value on company data as their C-level counterparts.

As a result, IT leaders need to enforce data policies with security tools that are intuitive and easy to use, provide broad support to both end-users and the business and automate the enforcement of regulatory and corporate data policies.

Deter, Detect, Respond

The latter conclusion of the Egress survey brings into discussion the question of how to best combat this kind of threat while taking into account that an insider has a clear advantage: it is part of the organization and knows how this organization works. Further, he/she has already certain privileges to access corporate assets and information.

Briefly speaking, the security solutions to stop an insider attack from happening consist of three constituents:

  • Deter: Undertake proactive measures to improve overall security hygiene so as to make the environment more hostile for the attacker to operate in.
  • Detect: Identify signs of attacker presence as close to their initial beachhead (“patient zero”) as possible.
  • Respond: Act efficiently to stop attacks in progress while reducing disruption to the business

A recent Ponemon Institute study on Managing the Risk of Post-Breach or Resident Attacks (post-breach or resident is another term for insider threat) found that 40% of the participated organizations were confident in their detection capabilities, while only a 25% can respond effectively to these kinds of attacks. Finally, organizations can effectively deter approx 30% of insider attacks. It is apparent that, given the potentially dire consequences and costs that cyber attacks can have, all operational areas can afford significant improvement in most organizations.

Improvements at the operational levels alone will not improve the ability to stop resident attackers from causing serious business impact. Data in the Ponemon survey indicate that there are various barriers that make it hard to keep up with threats:

  • “Inability to determine which alerts to escalate” and “difficulty distinguishing between false positives and real alerts” are among the top obstacles to achieving better threat detection.
  • “Shortage of skilled incident response personnel,” “shortage of time or skills to optimize and maintain detection technologies” and “lack of resources to purchase or implement effective detection technologies” are significant inhibitors.
  • Compliance imperatives may help ensure a baseline of standard security practices, but they are also named as the number one obstacle to achieving better threat detection.

The above obstacles create a “fog of war” when dealing with insider incidents. Clausewitz said that “War is the realm of uncertainty; three-quarters of the factors on which action in war is based are wrapped in a fog of greater or lesser uncertainty. A sensitive and discriminating judgment is called for; a skilled intelligence to scent out the truth.” This “fog of uncertainty” is enhanced by a clear lack of risk prioritization based on their importance to the business.

The Ponemon survey found that nearly three-quarters of respondents say business leaders do not clearly communicate business risk priorities, and more than two-thirds don’t have a good understanding of how threats can impact the enterprise. As a result, security technologies in most organizations are not optimized to reduce top business risk, and only one-third have strong capabilities to maintain an inventory of business-critical systems. The report concludes that unless operational capabilities can be better prioritized by likely business impact, many other problems in the ability to protect against resident attackers will likely persist because there are simply not enough resources to handle everything equally.

Focus on Lateral Movements

Once you have the leadership buy-in, you will have to implement technical solutions that detect insiders’ movements. In most cases, attackers operating within the environment are so difficult to detect specifically because they leverage the connectivity that the business itself enables and thereby remain relatively invisible.

Tim Erlin says that “The first action to take is to ensure user permissions are distributed using a principle of least privilege, meaning that users are only able to take actions and access data necessary for their job.”

The Ponemon study adds to this notion by noting that “it is possible to reduce their mobility within the environment by keeping it as clean as possible of excess connectivity by removing, where possible, credentials that are cached on systems, with special attention to domain admins and other high-privilege credentials.”

In order to have a “clean environment”, organizations should employ Identity and Access Management (IAM) and Privileged Access Management (PAM) solutions. Under a vigorous leadership and by aligning communication and policies between Human Resources and your IT department, you can implement controls to reduce risk and detect incidents before they cause damage.

In addition to detecting clear attack activity, monitoring for changes that are suspicious is a good way to identify activity that is otherwise authorized but not supposed to happen. “Change monitoring is most effective when coupled with a change management process. Identifying changes that occur, but aren’t part of an approved change ticket, can uncover not only insider threat activity but also other factors that affect system stability overall,” explains Tim Erlin.

Cultural Change

While many programs focus on catching and responding to negative behaviors, it’s also vitally important to directly and assertively address the cultural issues that drive negligence and malicious behavior. Research has provided evidence that enabling appropriate cybersecurity behaviour is more effective and useful than using threat awareness or punishment to urge users towards more secure behaviour.

To combat negligence and co-opting, companies often conduct cybersecurity training as well as phishing testing. Too often these focus only on behaviour by educating employees on proper cyber procedures, but they miss the attitudes-and-beliefs part of the culture equation. Targeted interventions help employees see and feel the importance of “cyber-hygiene”; purposeful reinforcement from senior executives is critical to achieving workforce buy-in. Organizations such as ENISA propose the use of metrics to measure both behaviors and attitudes and then develop comprehensive change plans to beat cyber-negligence.

Addressing the drivers of malicious behavior is an even more personal task. Organizations that successfully address drivers of malicious behavior often begin by analyzing workforce trends (using satisfaction surveys, for example) to determine potential hot spots. They then design changes in process, governance, hiring, compensation and so on specific to the identified risk areas and aligned with their security processes. “Improving employee morale in ways that are more effective than “beatings will continue until morale improves” is equally important, notes Kim Crawley.


Measures to improve security behaviour should be an ongoing, iterative process. The human factor in cyber-security is never “solved,” and there is no simple “solution.” Human skills and knowledge, leadership and technology can be made to work in favor of an organization’s cybersecurity.

Tripwire provides a range of technical solutions to help you combat insider threats. The tight integration of Tripwire Log Center with Tripwire IP360 and Tripwire Enterprise provides visibility of insider actions, identifies weaknesses that they could use against you and makes these events actionable with real-time alerts, automation and reporting. Cybersecurity is everyone’s job.