As the defence against insider threats is broad, layered and varied, so too are the costs involved, says Emile Abou Saleh, Regional Director, Middle East and Africa, Proofpoint.
Insider threats are on the rise: up 47 percent year-on-year, in fact. And organisations are paying a heavy price. According to the latest Cost of Insider Threats 2020 Global Report, impacted organisations in the Middle East spent on average $11.65 million annually on overall insider threat. Moreover, regional enterprises have experienced the highest number of insider-related incidents over the past 12 months, and are likely to experience credential theft.
Figures of this magnitude can be difficult to relate to. But for the organisations behind them, the impact of an insider threat is incredibly real. Costs quickly arise from additional labour and investment in technology, through to business disruption and revenue loss.
As with external threats, attackers’ tactics and motives differ. Unlike outside-in attacks, attackers do not need to breach defences, and many are unaware they’re a threat at all – making them hard to profile, harder to detect and extremely difficult to defend against.
Insider threats – be they intentional or not – cannot be entirely avoided. That’s not to say that businesses must accept these costs, however. By taking a proactive approach, through cost-effective tools and training, incidents can be minimised, and costs controlled.
The financial reality of insider threats
As the defence against insider threats is broad, layered and varied, so too are the costs involved. From the proactive, monitoring and surveillance, to the reactive, post-analysis and remediation, an insider threat impacts numerous activity centres across an organisation.
Threats must be thoroughly investigated to determine the source and scope, escalation and planning meetings are required to inform all necessary stakeholders, and a response strategy must be put into action. All of which carries a substantial cost. As a result of a single insider threat, organisations spend around $22,000 on monitoring and surveillance and $125,000 on investigation and escalation.
All this before accounting for the costliest part of the operation: containment. Containing an insider incident accounts for one-third of the total costs involved, at approximately $211,000. Closely followed by remediation at $147,000 and incident response at $118,000.
Unsurprisingly, technology and labour are the two largest cost categories, accounting for almost half of the total outlay between them. This covers overtime, additional personnel, contractors and any software and hardware needed to remedy the situation.
With the scope of a single incident laid bare, it’s easy to see why insider threats can be so destructive. Add a potential PR disaster and damage to reputation and stakes are seldom higher.
The most effective way to avoid such substantial financial consequences is to minimise the risk of an insider threat occurring in the first place. While proactive measures also carry a cost, it is always better to spend a penny on prevention than a pound on cure.
Unfortunately, many organisations are lacking in this area. Training, while prevalent, is often inadequate and the methods used are rarely the most cost-effective.
The current battleground
The recent State of the Phish report found that 95 percent of organisations around the world undertake some form of cybersecurity training with employees. Unfortunately, under further examination, the content, frequency and methods used are found wanting.
For most employees, security training totals just three hours over the course of a year. Many organisations only train a portion of their users and do not carry out in-person sessions or simulated attacks.
As a result, much of the workforce is uneducated about common cyber threats. Just 61 percent could correctly define phishing, with only 31 percent recognising ransomware and 66 percent familiar with malware. Against this backdrop, the rise in negligent insiders makes perfect sense. When it comes to preventing insider threats, most organisations opt for a combination of user training awareness, data loss prevention, and user behaviour analytics to educate and equip staff.
By far, the most cost-effective method of minimising and managing insider threats is a combination of awareness training, user behaviour analytics, and privileged access management (PAM) – the latter reducing average costs by $3.1m. Despite this, PAM is only deployed by 39 percent of organisations.
Don’t be left counting the cost
All organisations must implement a comprehensive and effective insider threat management program, to deter, detect and defend against rising numbers of incidents.
The most effective way to avoid the damage caused by insider threats is to prevent them where possible. Use the tools available to flag suspicious activity, block unusual access requests and ringfence sensitive information and privileged credentials.
Training and education are just as important. Ensure that your users are aware of common threats, that they understand how their behaviour can increase the likelihood and success of attacks, and that they understand their role in defending against these threats.
If an attack is successful, containment is key. The faster an incident is contained, the lower the cost. Ensure protocols and protections are in place to identify and rectify any incident as soon as possible.
Before, during and after an insider threat, vigilance and responsiveness are vital. The better you know your people, your environment and your systems, the better you can protect them from threats – whether they’re knocking at the door, or already inside.
