36% of information security professionals warn ‘unintentional insiders’ could cause most damage to organisation

London, UK – August 2017 – According to a new survey released by SANS Institute, organisations are so single-minded about defending against external attacks, that they are ignoring a threat with vastly greater potential for damage. 76% of security and IT professionals polled globally said the greatest potential for damage comes from a possible data breach involving employees or contractors trusted with insider access to sensitive data. 40% worry about insiders acting out of malice; 36% say the risk from insiders who are careless with security, or fooled by scams from outside, would do the greatest damage to reputations and bottom lines in the event of an attack. Only 23% predicted the most damage could be done by attackers from the outside.

An unintentional insider is defined as a user who is tricked into or manipulated into causing harm, or whose credentials have been stolen in phishing or other user-focused exploits, designed to let attackers pose as legitimate users to access privileged information. A malicious insider, on the other hand, is someone who knowingly causes harm and damage to an organisation by stealing, damaging or disclosing information.

As organisations deploy the latest security tools and techniques to protect from ever-creative and sophisticated outside attackers, cyber criminals are looking for easier targets. Users who already have access to an organisation’s most sensitive data, for example, and aren’t as hard to fool as security systems.

While security professionals clearly understand the risks that insider threats pose, very few seem to have any idea how much damage could be involved. 45% of respondents said the cost of a potential loss was ‘unknown’, while 33% said they had no specific estimate of cost. This seems surprising, but a small amount of organisations surveyed currently have insider-detection programs thorough enough to reliably detect insider threats. That same lack of visibility makes it difficult to identify the scope of a potential insider attack or estimate the cost of recovering from it.

What’s more, 62% of respondents said they have never experienced an insider attack. Rather than demonstrating a low risk of insider attack, however, this figure could easily mean that the organization is unaware an attack has even taken place.  38% of security professionals said the systems and methods they use to monitor insider activity are ineffective, making it even less likely for them to identify an insider attack in progress.

Inability to see is one thing; reluctance to prepare is another. Only 18% of respondents said they have formal incident-response plans that include potential insider attacks, though 49% said they are developing such a plan; 31% of respondents said they have no formal program in place or preparations to deal with threats from insiders.

“While deliberate/malicious insider are always a concern, what many organisations fail to realise is that an external attack will often target a legitimate insider and trick them into causing harm,” according to SANS instructor and survey report author Eric Cole, PhD. “This accidental/unintentional insider could be used as an avenue by the adversary to walk out with an organisation’s most sensitive data without fanfare or drama, and few organisations would be able to even know it had happened.”

“Malicious insiders have always been a threat, but the risk is increasing from ‘unintentional’ insiders that are tricked into giving their login information to callers from fake help desks or clicking on attachments that release password-stealing malware,” according to Cole. “Every organisation is only one click away from a potential compromise.”

About SANS

SANS Institute was established in 1989 as a cooperative research and education organisation and is now the largest provider of cyber security training and certification to practitioners at governments and commercial institutions worldwide. The SANS curriculum spans more than 60 courses across multiple cyber security disciplines. SANS has successfully run programmes for school age students and is passionate about encouraging young people to pursue a career in cyber security.