Information security staffs are so single-minded about defending their organizations from external attack that they all but ignore a threat with vastly greater potential for damage, according to the SANS Institute.
Looking for an easier target
As security protecting organizations from outside attack gets more formidable, attackers look for easier targets – users who already have access to an organization’s most sensitive data, for example, and aren’t as hard to fool as security systems.
“While deliberate/malicious insiders are always a concern, what many organizations fail to realize is that an external attack will often target a legitimate insider and trick them into causing harm,” according to SANS instructor and survey report author Eric Cole, PhD. “This accidental/unintentional insider could be used as an avenue by the adversary to walk out with an organization’s most sensitive data without fanfare or drama, and few organizations would be able to even know it had happened.”
identifying the damage
While these attacks are devastating, few organizations seem to realize that even when the origin of an attack is external, the ultimate entry point for the attacker was an insider who was tricked or manipulated to causing harm.
Survey respondents understand the risk. When asked to rank attackers according to the amount of damage they could do, only 23% of respondents said attackers from outside would do the most damage; 36% said the worst breaches would come from unintentional insiders and 40% said malicious insiders would cause the greatest damage.
Few seemed to have any idea how much damage was involved, however. Forty-five percent of respondents said the cost of a potential loss was “Unknown,” while 33% said they had no specific estimate of cost.
That seems surprising, but few organizations reported having insider-detection programs thorough enough to reliably detect insider threats, according to Cole. That same lack of visibility would make it difficult to identify the scope of a potential insider attack or estimate the cost of recovering from it.
Inability to identify an insider attack in progress
Data showing 62% of respondents have never experienced an insider attack probably also indicate low visibility, but not low risk, according to Cole. Thirty-eight percent of respondents said the systems and methods they use to monitor insider activity are ineffective, which makes it even less likely that they could identify an insider attack in progress.
Inability to see is one thing; reluctance to prepare is another. Only 18% of respondents said they have formal incident-response plans that include potential insider attacks, though 49% said they are developing such a plan; 31% of respondents said they have no formal program in place or preparations to deal with threats from insiders.
“Malicious insiders have always been a threat, but the risk is increasing from ‘unintentional’ insiders that are tricked into giving their login information to callers from fake help desks or clicking on attachments that release password-stealing malware,” according to Cole. “Every organization is only one click away from a potential compromise.”