Decoding the Evolution of Insider Threats: The ESG Insider Threat Program Realities Report

Decoding the Evolution of Insider Threats: The ESG Insider Threat Program Realities Report

https://www.dtexsystems.com/wp-content/uploads/2019/08/InsiderThreatProgramRealitiesBlog.jpg

Over the years, we have conducted hundreds of insider threat assessments and have investigated too many insider incidents to count. Anecdotally, it certainly feels like insider threats -- and the methods that companies use to address them -- are changing. The entire world, after all, is in a period of rapid technological evolution. Insider threats are all about how people use technology, so it would stand to reason that the nature of these risks are evolving, too.

But we wanted to know more. How, exactly, are security professionals feeling the impacts of this period of change? How are they adapting security policies, if it at all? What really are the biggest problems facing security professionals today in the fight against insider threats?

To answer these questions, we partnered with research firm, Enterprise Strategy Group (ESG), to release the Insider Threat Program Realities Insights Report. This report surveyed 300 security and IT professionals in the US to uncover the greatest challenges facing organizations in developing insider threat strategies. 

The results? The report confirms what we suspected: security pros are definitely feeling the effects of the insider threat evolution, and most agree that there has indeed been a change in the last several years.

Here are a few highlights... 

A Limited View of Insider Threats

 60% of those surveyed had a myopic view of insider threats, meaning that they identified only partial definitions of what constitutes an insider threat.

 This result was not altogether surprising to us, because we frequently see misconceptions and overly-limited definitions of what, exactly, an “insider threat” is. Insider threats actually encompass three very different kinds of users:

  1. Malicious insiders, or, inside users/employees who intentionally wish to harm the organization (this is the most commonly repeated definition of insider threats).
  2. Compromised insiders, or insiders who have had their credentials stolen or compromised by an outsider.
  3. Negligent insiders, or, users/employees who put data at risk through negligence, laziness, or simple human error.

 Only 40% of respondents correctly identified this full scope of insider threats, which is troubling. Insider threats are such a significant threat because of the sheer breadth of ways that humans (and the natural variances in behavior, intent, and motive that make humans, well… human) can put data at risk. Developing an effective insider threat program is challenging precisely because of this variety -- and addressing only one small slice of the risk leaves organizations blind to what users are really doing, and open to risks of data breach and attack.

A Rising Challenge

 62% of respondents said that it is at least somewhat more difficult to detect insider threats now than it was two years ago.

 This result echoes what we’ve been seeing in the field as well. Even in the last couple of years alone, the way that people interact with technology day-to-day has changed significantly -- and this, naturally, is going to make insider threats more difficult to detect.

 The follow up questions confirm this, as well. Most respondents say that detection is more difficult because insider threats are becoming more sophisticated -- this makes sense, considering that the average employee has access to much more sophisticated technology than they did before.

Other reasons cited include the wider adoption of the cloud, a larger corporate attack surface, and greater volumes of data.

All of these are ultimately symptoms of a universal truth: users are becoming further ingrained with technology, and security professionals are feeling the challenges that come along with that in a big way.

Growing Struggles with Traditional Solutions

2 out of 3 respondents said that they struggled to turn data into actionable insights.

In fact, this is just one of the many struggles that respondents voiced about traditional security solutions -- they also expressed challenges with UEBA, DLP, and employee monitoring solutions.

This is the natural conclusion to this story. We have already established that insider threats are a broader problem than many people think, and that they are definitively getting more difficult to detect. It’s only a natural conclusion, then, that traditional methods of dealing with insider threats are not going to be as effective as they once were. Traditional solutions like employee monitoring, UEBA, and DLP solutions can absolutely have their place in a balanced insider threat strategy -- but none of them are catch-all solutions. In fact, we would argue that in today’s world, there is no catch-all solution.

The only way to deal with modern insider threats is to truly see and understand them. It’s not about a quantity of data, building more rules, watching employees more closely, or heavier blocking. It’s about getting the right data, achieving the visibility to truly see and understand user behavior, and highlighting users in a way that takes into account the individual variances user behavior.

The Conclusion: Change is on the Horizon

These results all confirm that security professionals are experiencing exactly what we’ve been seeing in the field. A changing world means changing threats, and changing threats mean that insider threat programs need to evolve, too. Security teams cannot afford to get complacent. What worked two years ago will not work today, and what works today will need to be adjusted and tweaked in the months or years to come, too.

This is why organizations need to see, in a broad way, how their users are interacting with data enterprise-wide -- with endpoints, networks, and data. An approach based on valuable data and user visibility will give organizations the foundation to detect all forms of insider threats and run more valuable analytics. But beyond that, it will provide the ability to understand where the highest risks are and proactively identify what works and what doesn’t.

Ultimately, a knowledge-based, agile and flexible approach is critical to developing an insider threat program that can stand the test of time.

The ESG Insider Threat Program Realities report also includes many other interesting insights into today’s insider threat challenges. ESG Senior Principal Analyst Jon Oltsik and Dtex Global Insider Threat Expert Katie Burnell will be discussing the findings in greater detail in today’s webinar – register now! 

To download the full report, click here.