Insider Threats: Quantifying the Problem

However, insider threats are on the rise—yet doesn’t get anywhere near the same attention.  For example, a search for “insider threats” returns 3.4M returns on Google—“hacking” returns 121M.
Why the imbalance? There may be many but we think the main issue is that insider threats represent a hard problem to quantify, especially since the biggest internal threat is often the friendly, loyal employee. This is the individual who over the years had accumulated sensitive data on the laptop. This is the same data that was never removed when the employee left the company. But all organizations are at risk in face of the insider threat. In this blog series on insider threats, we show you just how prevalent this problem really is and what to do about it.

Insider Breaches on the Rise

To begin, here are a few episodes from a few insider data breaches:

• A Flextronics employee was charged of insider trading. The executive was paid high sums for passing on information pertaining to iPhone 4 development plans.
• An Ofcom IT director was charged of defrauding the organization by creating false invoices sent to him.
• A Netflix call-center employee stole credit card numbers of customer he had spoken with.
• A police officer was charged for conducting unlawful checks on different individuals.

Data point #1:   internal breaches comprise of 17% of all breaches.  The Verizon Data Breach Investigative Report (VDBIR) shows that internal breaches comprise of 17% of all breaches. At the same time, the VDBIR authors point out that this value is probably understated:
This value does not assume that there are less breaches causes by the insider. Rather, it is reflective of the fact that Verizon has investigated more cases caused by an external agent.
The data in the VDBIR is based on breach investigations. As of such, they are skewed towards breaches which involve unknown factors – usually caused by external agents. On the other hand, getting to the root of the insider breach is much easier and so these are usually settled in-house.
Data point #2:   10M lost data records in 2011.  The Privacy Rights Clearing House (PRCH) maintains a database of US data breaches.  Each breach is quantified and characterized.  To understand the impact of insiders, simply conduct a search on the PRCH database that stipulates following parameters:

• An intentional compromise by an insider
• An accidental disclosure of sensitive information (for example, when emailing a list of customers to a provider, a sensitive page indexed by Google, etc.)
• Stolen, or lost, portable and stationary devices. [ie, accidental, non malicious insider].

The stats for 2010, the same year as the release of the aforementioned VDBIR, reveal 376 data breaches and the ultimate exposure of more than 10M data records.
The numbers for 2011 are not optimistic. At a first glance, the number of breaches seems stationary compared to last year’s (191 – but we’re still in August). However, the number of exposed records already stands at nearly 10M! It comes to show that the headline news items we mentioned at the beginning of the section are not isolated. Rather, the insider threat is (or should be) a regular concern for numerous organizations.  One major problem with the PRCH database?  It does not take into consideration, for instance, breaches of sensitive corporate info, such as business plans or design schematics.  Yet such IP can be among the most expensive to lose.
Data point #3:   malicious insiders comprise a third of all breaches.  In an attempt to address those variables, a 2010 joint survey with the analyst firm, Securosis, questioned more than 1100 US and multinational IT security practitioners on their security practices. The survey uncovered an interesting statistic: Accidental breaches comprised 38% of all breaches. Malicious insiders were behind 32% of all incidents. Hackers lagged behind, comprising 29% of the breaches.

What About The Breaches That Do Not Get Noticed?

Companies face a real threat from ‘loyal’ employees. These are the individuals who over time accumulate work data.  When these individuals leave, the machine – together with the data- leaves with them. Yet, the last thing organizations need is this data in the hands of their competitor or left on a municipal bus.
We tried to establish this problem by conducting two separate survey types over the past year:

1. Man on the street surveys. We questioned more than 1000 people on the streets of London on their behavior in relation to the company data. A similar survey was performed in China (Beijing and Shanghai). Both surveys support the claim that the insider threats are mainly comprised of normal, mainstream employees. For example, in the UK, the survey found that 70% of respondents had clear plans to take something with them upon actually leaving their job. Furthermore, 85% store corporate data in home computers or personal mobile devices.
2. Surveys targeted at security professionals.  One survey, conducted separately in the US and the UK, questioned their organization’s security practices in regards to sensitive files. The results, with about 150 respondents each, found that 18% of the US respondents knew the exact number of sensitive files they had.

Other industry surveys supported the notion that the insider threat is the common employee, such as a recent Sailpoint study. A concerning key finding showed that some of these employees – who have legitimate access to the data in order to perform their job – would willingly turn against the company. From the UK respondents, 24% mentioned they would feel comfortable selling the data.
A UniSys 2010 survey demonstrated some more alarming statistics: 95% of individuals use self-purchased technology for work.  The “Consumerization of IT” makes it much more difficult to control the flow of sensitive data.
Although reaching an absolute number on the prevalence of the insider threat is not simple, there is no doubt that the insider threat is an issue.  However, it is possible to help mitigate the problem by studying the characteristics of this threat: user privileges, technical skills and even motivation.
In the next section of this guide we introduce the characteristics needed to define the threat.