Careless employees behind the majority of insider threat incidents: report

Dive Brief:

Over the last 12 months, more than half of insider threat security incidents, 56%, were caused by negligent or careless employees, according to research from Ponemon Institute and sponsored by Proofpoint. The report, released Tuesday, surveyed more than 1,000 IT and IT security professionals globally in organizations that experienced at least one material event from an insider.
The remediation costs from incidents tied to negligent employees can reach $6.6 million annually, almost $500,000 per incident. Activities that lead to negligence include unsecured devices, disregard for security policies, or not issuing patches.
While security events from malicious insiders and credential theft only cost $4.1 million and $4.6 million, respectively, the individual incidents can prove costly. Malicious insiders account for one-quarter of incidents, and costs can reach almost $650,000. Credential theft only accounts for one in five incidents, but the average cost per incident can exceed $800,000.

Dive Insight:

As companies come to terms with the semi-permanence of mass remote work, insider cybersecurity threats continue to rise — and it's partially due to employee apathy.

Two-thirds of employees admit to failing to fully adhere to cybersecurity policies at their company at least once every 10 workdays, according to research and interviews of 330 remote workers by researchers Clay Posey and Mindy Shoss from the University of Central Florida (UCF). Employees failed to follow company security policies once every 20 job tasks on average, Posey and Shoss said in the Harvard Business Review.

When asked why respondents didn't follow security policies, the most common answers were, "to better accomplish tasks for my job," "to get something I needed," and "to help others get their work done," Posey and Shoss wrote. Employees had malicious intent in only 3% of incidents where cybersecurity rules were broken.

Companies most susceptible to insider threats have limited employee training for what mandates and regulations apply to the company's security, Ponemon found. Other high-risk practices include sharing data via an unsecured location in the cloud, lax software updates, or, as the UCF data shows, employees intentionally skipping policies to simplify their workload.

In 2020, Twitter became victim to a spear phishing attack, which the unauthorized users then leveraged their access to high-profile Twitter accounts. In November, trading platform Robinhood disclosed a security breach caused by a social engineering attack on a customer support employee.

It is becoming more common for bad actors to approach employees to aid in an attack. Nearly two-thirds of IT and security professionals say their employees have been "approached to assist in aiding ransomware attacks," according to a recent Hitachi ID survey of more than 100 respondents. conducted between Dec. 7, 2021 and Jan. 4, 2022. Only half of respondents said they feel moderately prepared to prevent a ransomware attack.

For malicious insiders, corporate email is the preferred method for stealing data, Ponemon found. The second most popular activity is scanning for vulnerabilities, followed by accessing sensitive data unattached to a specific role or function.

Having the right tools in place to catch malicious activity — such as behavior-based solutions or automation for containment — can help, but the cleanup period is lengthy. It takes organizations an average of 85 days to contain an incident related to insider threats. Only one in every 10 incidents is contained in less than 30 days, Ponemon found.