Insider Threats: Just 18% Have Incident Response Plans

Written by

Global organizations finally understand that insider cyber threats are potentially the most damaging of all, but are doing little to quantify or respond to the threat, according to new SANS Institute research.

The study, sponsored by Dtex, Rapid7 and Haystax, revealed that the largest plurality of respondents (40%) rate malicious insiders as the most damaging threat vector they face, followed by accidental or negligent staff (36%).

However, nearly half (45%) claimed they didn’t know the potential for financial losses associated with an insider incident, while another third were unable to place a value on the losses.

Although over 60% claimed they had never suffered an insider attack, report author Eric Cole warned that this figure is likely to be “very misleading”.

“It is important to note that 38% of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening,” he wrote.

Just 18% of respondents said they have developed incident response plans with provisions for insider threats, although on the plus side a further 49% are currently working on such programs.

According to Cole, end-users are now “the entry point of choice” for malicious outsiders “and points of vulnerability are legion”.

The SANS 2016 Threat Landscape Survey found that 48% of attacks bypassed endpoint defenses through user error, and 38% through social engineering – highlighting the risk to firms.

“Based on this author’s experience, if your organization has been in existence for more than a few years, the probability of being hit by an insider-enabled attack is almost 100%,” warned Cole.

Organizations should respond by understanding where their most critical data is held and who has access to it, before tightening access controls to only those who need it.

Threat mapping and user behavior analytics are also recommended, as are data segmentation, application whitelisting, data protection and data classification.

It’s also useful to understand which vulnerabilities would have the biggest impact if exploited, the report added.

What’s hot on Infosecurity Magazine?