Detecting an insider threat can prove one of the biggest challenges within the cybersecurity realm. Adenike Cosgrove, Cybersecurity Strategy, International at Proofpoint, explores the impact of an insider threat across an organisation and how to avoid being left with a hefty bill.
Insider threats are on the rise: up 47% year-on-year, in fact. And organisations are paying a heavy price. The annual cost of insider incidents now stands at a huge US$11.45 million. That’s a 31% increase over the last two years.
As with external threats, attackers’ tactics and motives differ. Unlike outside-in attacks, attackers do not need to breach defences and many are unaware they’re a threat at all – making them hard to profile, harder to detect and extremely difficult to defend against.
Whether criminal intent or human error, the result is the same. Total annual costs for negligence-based threats average US$4.58 million, compared to US$4.08 million for those with malicious motives. Should either result in the loss or theft of credentials, these cost an organisation an average of US$2.79 million.
Figures of this magnitude can be difficult to relate to but for the organisations behind them, the impact of an insider threat is incredibly real. Costs quickly arise from additional labour and investment in technology, through to business disruption and revenue loss. The average financial outlay for a single incident is estimated at US$307,111 for a negligent threat, US$755,760 if malicious and $871,686 if it involves the loss of credentials.
Insider threats – be they intentional or not – cannot be entirely avoided. That’s not to say that businesses must accept these costs, however. By taking a proactive approach through cost-effective tools and training, incidents can be minimised and costs controlled.
The financial reality of insider threats
As the defence against insider threats is broad, layered and varied, so too are the costs involved. From the proactive, monitoring and surveillance, to the reactive, post-analysis and remediation, an insider threat impacts numerous activity centres across an organisation.
Threats must be thoroughly investigated to determine the source and scope, escalation and planning meetings are required to inform all necessary stakeholders and a response strategy must be put into action. All of which carries a substantial cost. As a result of a single insider threat, organisations spend around US$22,000 on monitoring and surveillance and US$125,000 on investigation and escalation. All this before accounting for the costliest part of the operation: containment.
Containing an insider incident accounts for one-third of the total costs involved, at approximately US$211,000. Closely followed by remediation at US$147,000 and incident response at US$118,000.
Unsurprisingly, technology and labour are the two largest cost categories, accounting for almost half of the total outlay between them. This covers overtime, additional personnel, contractors and any software and hardware needed to remedy the situation.
With the scope of a single incident laid bare, it’s easy to see why insider threats can be so destructive. Add a potential PR disaster and damage to reputation and stakes are seldom higher. In recent years, both Target and Capital One have seen profits and valuations slump in the aftermath of data breaches caused by insiders, and they are far from alone.
The most effective way to avoid such substantial financial consequences is to minimise the risk of an insider threat occurring in the first place. While proactive measures also carry a cost, it is always better to spend a penny on prevention than a pound on cure.
Unfortunately, many organisations are lacking in this area. Training, while prevalent, is often inadequate and the methods used are rarely the most cost-effective.
The current battleground
The recent State of the Phish report found that 95% of organisations around the world undertake some form of cybersecurity training with employees. Unfortunately, under further examination, the content, frequency and methods used are found wanting.
For most employees, security training totals just three hours over the course of a year. Many organisations only train a portion of their users and do not carry out in-person sessions or simulated attacks.
As a result, much of the workforce is uneducated about common cyberthreats. Just 61% could correctly define phishing, with only 31% recognising ransomware and 66% familiar with malware. Against this backdrop, the rise in negligent insiders makes perfect sense.
When it comes to preventing insider threats, most organisations opt for a combination of user training awareness, data loss prevention and user behaviour analytics to educate and equip staff.
Both awareness training and user behaviour analytics are highly cost-effective. Companies employing these techniques report cost savings of US$3.42 million and US$3.1 million, respectively. Data loss prevention, while important, is less so, resulting in average cost savings of US$1.88 million.
By far, the most cost-effective method of minimising and managing insider threats is a combination of awareness training, user behaviour analytics and privileged access management (PAM) – the latter reducing average costs by US$3.1 million. Despite this, PAM is only deployed by 39% of organisations.
PAM, along with other proactive, preventative solutions, hold the key, not just to reducing the costs of insider threats but in minimising their frequency and success rate.
Don’t be left counting the cost
Threats from insiders – be they malicious or otherwise – sit outside the realms of your standard cyberdefences. They require a deterrent of their own.
All organisations must implement a comprehensive and effective insider threat management programme, to deter, detect and defend against rising numbers of incidents.
Network monitoring and surveillance, along with solutions such as PAM, should be a key component. The most effective way to avoid the damage caused by insider threats is to prevent them where possible. Use the tools available to flag suspicious activity, block unusual access requests and ringfence sensitive information and privileged credentials.
Training and education are just as important. Ensure that your users are aware of common threats, that they understand how their behaviour can increase the likelihood and success of attacks, and that they understand their role in defending against these threats.
If an attack is successful, containment is key. The faster an incident is contained, the lower the cost. Ensure protocols and protections are in place to identify and rectify any incident as soon as possible.
Before, during and after an insider threat, vigilance and responsiveness are vital. The better you know your people, your environment and your systems, the better you can protect them from threats – whether they’re knocking at the door, or already inside.