SANS Survey Finds Cyber Security Often Defends Against the Wrong Enemy

Bethesda, MD, July 19, 2017 – Information security staffs are so single-minded about defending their organizations from external attack that they all but ignore a threat with vastly greater potential for damage, according to a new survey to be released by SANS Institute on August 1.

As security protecting organizations from outside attack gets more formidable, attackers look for easier targets — users who already have access to an organization’s most sensitive data, for example, and aren’t as hard to fool as security systems.

“While deliberate/malicious insider are always a concern, what many organizations fail to realize is that an external attack will often target a legitimate insider and trick them into causing harm,” according to SANS instructor and survey report author Eric Cole, PhD. “This accidental/unintentional insider could be used as an avenue by the adversary to walk out with an organization’s most sensitive data without fanfare or drama, and few organizations would be able to even know it had happened.”

While these attacks are devastating, few organizations seem to realize that even when the origin of an attack is external, the ultimate entry point for the attacker was an insider who was tricked or manipulated to causing harm. Survey respondents understand the risk. When asked to rank attackers according to the amount of damage they could do, only 23% of respondents said attackers from outside would do the most damage; 36% said the worst breaches would come from unintentional insiders and 40% said malicious insiders would cause the greatest damage.

Few seemed to have any idea how much damage was involved, however. Forty-five percent of respondents said the cost of a potential loss was “Unknown,” while 33% said they had no specific estimate of cost.

That seems surprising, but few organizations reported having insider-detection programs thorough enough to reliably detect insider threats, according to Cole. That same lack of visibility would make it difficult to identify the scope of a potential insider attack or estimate the cost of recovering from it.

Data showing 62% of respondents have never experienced an insider attack probably also indicate low visibility, but not low risk, according to Cole. Thirty-eight percent of respondents said the systems and methods they use to monitor insider activity are ineffective, which makes it even less likely that they could identify an insider attack in progress.

Inability to see is one thing; reluctance to prepare is another. Only 18% of respondents said they have formal incident-response plans that include potential insider attacks, though 49% said they are developing such a plan; 31% of respondents said they have no formal program in place or preparations to deal with threats from insiders.

“Malicious insiders have always been a threat, but the risk is increasing from ‘unintentional’ insiders that are tricked into giving their login information to callers from fake help desks or clicking on attachments that release password-stealing malware,” according to Cole. “Every organization is only one click away from a potential compromise.”

Eric Cole will discuss the full results of the survey and his analysis in a webcast August 1 at 1 PM EDT, sponsored by Dtex SystemsHaystax Technology and Rapid7, and hosted by SANS. Register to attend the webcast at www.sans.org/webcasts/103917

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and insider threat expert, Eric Cole, PhD

Tweet This:
Insider threats: harder to spot, far more damaging than external attacks | Explore how to protect your organization. | www.sans.org/webcasts/103917

SANS Survey finds few defenses against insider threat. | Aug. 1 | Register to attend: www.sans.org/webcasts/103917

How ready is your organization to combat insider threats? | SANS Insider Threat Survey webcast Aug. 1 | Register at www.sans.org/webcasts/103917