Every year, the comprehensive Verizon Data Breach Investigations Report (DBIR) provides the industry with a deep dive into the latest trends in cybersecurity incidents. This year’s report found that insider threat incidents have been on the rise for the last four years, increasing by five percent since hitting a low point in 2015. This year’s report also shows that 34 percent of all breaches happened as a result of insider threat actors.
Today we’ll take a deeper dive into the insider threat data included in the report, and explain how to mitigate risk for your organization.
Industry Focus: Healthcare’s Insider Threats Outweigh External Actors
More than any other industry, healthcare’s breaches are overwhelmingly caused by insiders, with nearly 60 percent tied to inside actors. Healthcare is the only industry where insider-caused breaches outnumber external attack vectors, at least according to this report. (It’s worth noting that some experts, like Shawn Thompson of the Insider Threat Management Group, believe that these incidents are still undercounted and underreported).
To get more specific, the DBIR points to an onslaught of accidental insider threats in the healthcare industry. Given the stringent regulatory requirements like HIPAA and the need to move fast to stay competitive, mistakes have become rampant, leading to insider-caused threats. The use of stolen credentials, privilege abuse, and phishing attacks were the top three most common types of confirmed attacks.
The information technology sector followed suit, with 44 percent of breaches caused by internal actors. Many of these breaches were also accidental, but caused by privileged users. System administrators were often responsible for misconfigurations and publishing errors that caused the majority of these insider breaches. Many of these misconfigurations involved cloud storage databases, which often contain an organization’s most sensitive data.
The financial services sector came in third, with 36 percent of breaches attributed to insiders. Credential theft and phishing attacks were the most common types of breaches in this industry. Privilege misuse was also common in this industry, given the high-value target of financial data and personally identifiable information (PII).
Finally, 30 percent of public sector breaches were attributed to insiders. State-affiliated actors accounted for 79 percent of all breaches involving external actors in this industry, while privilege misuse and errors by insiders accounted for 30 percent of overall breaches. Many of these breaches took months or years to discover, and incidents involving privilege misuse took the longest for organizations to find.
Our Takeaway: The interesting takeaway here is that your insider threat program depends on the industry you are in, since different attacks and incidents are more common in different sectors. Rather than a one-size-fits-all approach, it’s a good idea to evaluate your unique weak points and common attack vectors for your industry when developing an insider threat management strategy.
System Administrators and State-Sponsored Threats Rising
An insider threat can be defined as what happens when someone close to an organization, with authorized access, misuses that access to negatively impact the organization’s critical information or systems. With that definition in mind, two specific threat vectors have increased according to this year’s DBIR: system administrators and state-sponsored threats.
While the idea of rogue system administrators with malicious intentions seems much more cinematic, the reality is admins most consistently cause accidental insider threat incidents. Their most common errors include:
- misconfiguring servers to allow for unintended access to sensitive data, and
- publishing data to public servers that should have been private or access-controlled.
As we covered in the public sector section above, state-sponsored threat actors have also increased dramatically in the last year. Often times, trusted insiders enable state-sponsored threats, infiltrating an organization’s external security defenses and stealing critical, non-public data on behalf of a government. A popular example of a state-sponsored attack was Greg Chung from Rockwell-Boeing, who stole engineering secrets for the Chinese government for nearly 30 years.
Our Takeaway: These internal actors who enable nation state attacks are commonly most vulnerable to “turning” when they are in financial or career distress, so it’s a good idea to develop both social (HR management and security awareness training) and technical defenses against insider threats like these.
C-Suite is a Popular Target for Social Engineering Attacks
Unfortunately, the higher up you are in a company, the more likely you are to become a target for phishing and social engineering attacks. The DBIR found that top-level execs are 12 times more likely to be the target of social incidents and nine times more likely to cause social breaches. (Interestingly, these types of social engineering attacks are very much on the rise.) C-level executives are, of course, high-value targets for hackers, and their busy schedules may mean that they’re more likely to click quickly before they’ve had a chance to think about whether a link is malicious or legitimate.
Our Takeaway: Sometimes when organizations conduct insider threat training and security awareness in general, execs get left out of the equation. After all, they have plenty on their plates as it is. But these attacks make it clear that insider threat training should apply to everyone in the organizations—including and perhaps even focusing on the C-Suite.
What to Do About Insider Threats in Your Organization
The steep rise in insider threat incidents over the last four years points to the need for a comprehensive insider threat management strategy. An effective strategy combines cybersecurity awareness training (to avoid these costly mistakes) with technology to identify and mitigate the risk of insider threats. A dedicated insider threat management platform like ObserveIT can help organizations quickly identify and investigate potential incidents. Security analysts can use ObserveIT to gain comprehensive visibility into both user and data activity, so they can know who did what, when, and why.