Breaches caused by external attackers posing as insiders are the most financially damaging, Ponemon Institute survey finds.
Careless users and contractors continue to be the biggest source of insider incidents at most organizations. But external attackers posing as legitimate users via stolen credentials can cause far more financial damage, a new survey by the Ponemon Institute shows.
Ponemon polled 280 IT and security practitioners from 54 medium- to large organizations between April and July this year. The findings show that nearly four years after Edward Snowden’s famous data leaks, the insider threat remains as intractable as problem as ever for many organizations.
The survey, sponsored by security vendor Dtex, reports a total of 874 insider incidents across respondent organizations over the past 12 months. A total of 568 of those incidents were caused by employee or contractor negligence, 191 were tied to malicious employees and criminals, while 85 were caused by outside imposters with stolen credentials.
Cumulatively, security incidents stemming from negligent and careless employees or contractors cost the most money. Organizations spent about $2.3 million annually dealing with the fallout from such incidents, at an average of about $207,000 per incident, the study found.
In contrast, the annualized cost from all imposter-related breaches was relatively lower, at $776,000. But the cost per incident involving imposters was $493,000 ― much higher per incident than breaches caused by negligence and carelessness and those caused by malicious insiders.
On average, the organizations in Ponemon’s survey reported spending $4.3 million in total on insider-related incidents over the past 12 months. The costs tended to vary by organization size. Large organizations with more than 75,000 employees spent more than $7 million annually, while smaller organizations with between 1,000 and 5,000 employees spent around $2 million.
The costs encompass monitoring and surveillance, investigation, response, containment, incident analysis, and remediation.
Organizations implementing security controls to mitigate insider threats should consider the threat posed by external adversaries in their planning, says Larry Ponemon, chairman and founder of the Ponemon Institute.
"Our benchmarking suggests that while the number one insider problem is negligence, the most expensive are those involving credential theft," Ponemon says. "The issue is important because a lot of companies don't see credential theft as an insider threat."
Security incidents caused by insiders have been a long-standing issue for organizations. Former NSA analyst Snowden’s data leaks on the government’s surveillance operations back in 2012 is often cited as one of the most dramatic examples of the damage that an insider with privileged access to enterprise networks can do.
But such incidents are more than exception than the rule. A vast majority of insider breaches come from more banal causes such as someone inadvertently emailing or publishing a list containing sensitive data, or losing a mobile device with unencrypted files.
"The main takeaway is that not having the right people and the right technologies can be very costly for organizations," Ponemon says.
Companies should look beyond their existing security toolset and consider using behavioral analytics technologies to spot anomalous behavior, he says. They should also consider ramping up employee awareness and training as well, he adds.
"The training programs that companies have are just not very good," he says. "They are really focused on check-the-box compliance requirements to show everyone that your company is training on data protection."
Evidence shows that good training can make a difference. "But most companies are penny-wise and pound-foolish," Ponemon says.