More than one in four attacks suffered by organisations over the past year were carried out by insiders, driven largely by financial gain, simple errors, misuse or espionage.
This was revealed in the Verizon 2018 Data Breach Investigations Report, based on the analysis of thousands of real-world incidents across 65 countries numbering over 53 000 this year, including 2 216 confirmed data breaches.
However, some industries fared worse than others. In healthcare, a whopping 56% of incidents were as a result of insiders, 35% of them human error and 24% misuse. According to Verizon, healthcare is the only industry where the threat from inside is greater than that from outside, adding that staff are abusing their access to systems or data.
For the public sector, cyber espionage is a top concern, and proved to be the motivation behind 44% of breaches. The report revealed that 37% of incidents are due to insiders in the public sector, with 67% originating from outside.
Verizon said: "Attacks usually involve phishing, installations and the use of backdoors or C2 channels. But it's not just state secrets being targeted, the personal data you hold on citizens and employees is also at risk."
Other industries have more to worry about from outside threat actors. In manufacturing, a full 89% of attacks are carried out by outsiders, and the target is usually the planning, research and development for a new product or solution. "Nearly half (47%) of breaches involved the theft of intellectual property to gain competitive advantage."
Hard cash
According to the report, the majority of cyber crooks (76%) are financially motivated, looking to steal payment card data, personally identifiable information or intellectual property.
Verizon says they are also opportunistic. They don't necessarily target the rich, or multimillion dollar corporates, they target those who are unprepared.
To err is human
Malicious insiders looking for financial gain aren't the only threat to business. Mistakes were the cause of a full 17% of breaches, the report revealed. This could include staff members sending mails to the wrong people, failing to shred confidential information, or misconfigured Web servers.
Moreover, despite widespread warnings not to do so, 4% of people will still click on any phishing campaign that comes there way. On the plus side, 78% said they did not click on a single campaign throughout the year.
Interestingly enough, the more phishing e-mails an individual has clicked, the more likely they are to do so again.
The worst-case scenario
Ilia Kolochenko, CEO of web security company High-Tech Bridge, says the worst-case scenario would be a hybrid attack involving external and internal actors. "Virtually no effective defence exists against such a toxic cocktail. The vast majority of organisations almost blindly trust their employees and build many sensitive systems with incorporated trust to their personnel."
Ongoing HR due-diligence, awareness programmes and monitoring of anomalous behaviours are crucial to an organisation's security posture, he says. "Sometimes, security awareness can reliably prevent disasters - many people simply do not realise that a particular act, that may appear innocent at the first glance, is a serious criminal offence."
According to Kolochenko, the insider threat has been a problem for all organisations for some time, and is exacerbated by the complexity and cost of security controls and remedies.
"Protecting your internal systems from malicious authorised employees is highly complicated compared to defence from external attacks. Many enterprise systems simply do not have security controls that can be integrated to prevent malicious insider activities or innocent human mistakes."
Continuous monitoring solutions that highlight any unusual employee activity are available, he advises, adding that machine learning and AI technologies have the potential to significantly simplify this task.
Share