As organizations adapt to the new normal, it is important to reflect on what drives the increasing risk of insider threats and how the situation is worsened with more employees working from home than ever before, using new applications and tools, and relying on cloud apps.
Based on the results of a comprehensive online survey of hundreds of cybersecurity professionals, conducted in January 2021, to gain deep insight into the latest trends, key challenges, and solutions for insider threat management, the 2021 Insider Threat Report revealed the following key findings:
- Compared to last year, 68% of organizations observed that insider attacks had become more frequent over the last 12 months and 57% indicated an increase in attack frequency. In fact, 59% have experienced one or more insider attacks within the last 12 months.
- An overwhelming 66% of organizations feel moderately to extremely vulnerable. Only 2% say they are not at all vulnerable to an insider attack.
- Most organizations consider themselves only somewhat effective or worse (63%) when it comes to monitoring, detecting, and responding to insider threats. Only 37% of organizations consider themselves very to extremely effective when it comes to monitoring, detecting, and responding to insider threats.
- When comparing internal attacks to external cybersecurity attacks, 50% of respondents confirm that internal attacks are more difficult to detect and prevent than external cyber-attacks. Since insiders have approved access privileges, it can be challenging to distinguish legitimate use cases from malicious attacks.
- Another factor that is making detection of insider attacks more difficult is the shift toward cloud computing, as confirmed by 53% of cybersecurity professionals.
- Visibility and control are paramount in preventing an insider threat. Almost all organizations (85%) consider unified visibility and control across all apps, devices, web destinations, on-premises resources, and infrastructure moderately to extremely important.
- Thirty-seven percent of organizations deploy multiple but integrated products to provide unified visibility and control. However, most organizations (58%) are using disjointed, separate, or no tools and struggling to detect insider threats.
- The continued threat of insider threats has caused cybersecurity professionals to take more action and deploy User Behavior Analytics (UBA) tools to help detect, classify, and alert anomalous behavior. More than 80% of organizations monitor user behavior in one way or another. The most common approach to monitoring user behavior is access logging only (28%) and automated tools to monitor user behavior (28%).
- When asked about visibility into user activity, organizations continue to rely on server logs to track user behavior (40%), followed by User and Entity Behavior Analytics (UEBA) (30%), and in-app audit features (28%).
- The level of visibility that organizations must detect anomalous behavior on privileged accounts is high (61%), followed by service accounts (41%) and document repositories (40%). In contrast, visibility into cloud applications is low (28%), and even lower visibility into IoT and SCADA devices (7%).
- Of the organizations utilizing analytics to determine insider threats, the top two spots are tied at 29%: activity management and summary reports, and data behavior, access and movement analytics. Running a close third is user behavior analytics at 25%.
- There has not been a significant change regarding the hurdles preventing organizations from maximizing SIEM in this year’s survey. Not enough resources are still the biggest challenge (33%), followed by false positives (29%), and problems to detect unknown threats (17%).
- When it comes to utilizing Data Leakage Protection (DLP), organizations continue to face a variety of challenges, most prominently the difficulty to keep policies up to date at the rate of business needs (30%). For this year’s report, too many false positives (28% versus 23%) and limited data/file visibility (22% versus 23%) are swapping places as the next two biggest hurdles, compared to last year.
- Organizations are focused on deterrence (63%) and detection of internal threats (48%) as their primary focus for mitigating insider threats; analysis and post breach forensics (37%) follow.
- Forty-two percent of organizations have limited capabilities to defend against insider threats. Of the organizations that are defending against insider threats, 26% are using artificial intelligence and machine learning, followed by big data analytics (24%).
- Half the respondents claim they can detect insider threats within the same day (50%), 18% even within minutes of an attack. Twenty-five percent can detect an insider attack within a week and 12% within a month. Only 5% report they have no ability to detect an insider attack.
- Most organizations say they could recover from an attack within a day (57%). Extend that to a week and the percentage of organizations that can recover jumps to 79%. Only one percent of companies believe they would never fully recover from a successful insider attack.
- Given the impact that insider threats have on an organization, it is surprising that nearly a fifth (18%) still cannot detect insider threats. Thirty-one percent can only remediate after data loss occurred—when the business impact is much larger.
- Eighty-two percent of companies find it moderately to very difficult to determine the damage incurred by insider attacks. Only about one in five companies (18%) have found a way to better understand insider damages.
- There is a wide variety of ways insider threats impact an organization. This year, loss of critical data tops the list (40%). While operational disruptions continue to be one of the top three challenges, there has been a significant decrease in the share of companies that feel the impact on their ability to operate successfully since last year (54% to 33%).
- Considering the rising risk of insider threats, it is no surprise that 40% of organizations already have an insider threat program in place. Another 41% are planning to add insider threat programs. (Source: Cybersecurity Insiders)