Damaging And Costly Can An Insider Threat Incident Be?
Organization Recover From The Severe Impact An Insider Threat Incident Could
Insider Threats Incidents - Could These Happen To Your
NITSIG Insider Threat Awareness E-Magazine
Read through this on-line resource to
see story after story related to the Insider Threat Incidents that have
affected government and
Employee Sabotages Company's Network Servers
When Mitchell learned he was going to be fired in June of 2012 from the
oil and gas company EnerVest Operating, he “remotely accessed EnerVest’s
computer systems and reset the company’s network servers to factory
settings, essentially eliminating access to all the company’s data and
applications for its eastern United States operations,” a Department of
Justice spokesperson wrote in a release on his conviction. “Before his
access to EnerVest’s offices could be terminated, Mitchell entered the
office after business hours, disconnected critical pieces of…network
equipment, and disabled the equipment’s cooling system.” As a result of
his actions, the company
lost some of its data
hundreds of thousands of dollars repairing equipment and recovering
It took a month to bring the company’s office back online,
company as much as $1 million in lost business.
Home Depot’s Former Security Architect Had History Of Techno-Sabotage
NITSIG Workplace Violence E-Magazine
Read through this on-line resource to
see story after story related to the Workplace Violence Incidents that
have affected government and
Workplace Violence - The Type Of Insider Threat Requiring Much Great
very disgruntled employees "Insiders" have resorted to workplace
violence, in some cases resulting in the deaths of innocent
coworkers. A company that ignores the warnings signs could face
the Occupational Safety and Health Administration (OSHA),
approximately 2 million employees are victims
of workplace violence each year. 18% of violent crimes are
committed at the workplace, and roughly 800 workplace homicides
occur each year. Between January 2009 and July 2015, there were 133
mass shootings in the workplace and shootings account for 78 % of
all workplace homicides. Violence in the workplace must be a top
concern for employers, as no organization is immune from workplace
violence and no organization can completely prevent it. (Source)
A robust and
effective Insider Threat Program will train Security Professionals,
Supervisors, Managers and Employees to identify "Behavioral
Indicators" that are warning signs for workplace violence, including
employees who do not accept criticism and express anger and blame
others for their own poor performance; unexplained increase in
absenteeism; increased and severe mood swings and noticeably
unstable or emotional responses; frequent loss of temper;
personality conflicts with co-workers; increasing dialog about
problems at home, including marital, family or financial struggles;
increase in unsolicited comments about violence, firearms and
violent crimes; increased use of alcohol or illegal drugs;
exhibiting signs of depression and withdrawal; and experiencing a
company take the chance that one of your "Trusted Employees" might
commit workplace violence?
Jury Awards Over $1 Million In Negligent Hiring Lawsuit Involving
Insider Threat Reports And Surveys
DoD PERSEREC Report - The Expanding Spectrum Of Espionage By Americans
1947 - 2015
report is the fourth in the series on espionage by Americans that the
Defense Personnel and Security Research Center (PERSEREC) began
publishing in 1992. The current report updates the scope of earlier work
by including recent cases, and it extends the scope by exploring related
types of espionage in addition to the classic type.
There Are 3 Parts Of The Report
Part 1 - Presents findings on characteristics of
Americans who committed espionage-related offenses since 1947. The
findings are based on analyses of data collected from open sources.
Part 2 - Explores the five types of espionage committed by the
209 individuals in this study: classic espionage, leaks, acting as an
agent of a foreign government, violations of export control laws, and
economic espionage. Each type is described by its legal bases; examples
of cases and comparisons with the other types of espionage are provided.
Part 3 - Considers the impact of the context in which espionage
takes place, and discusses two important developments: (1) information
and communications technologies (ICT), and (2) globalization.
Defending Against the Wrong Enemy: SANS Insider
Organizations Recognize The Importance Of Insider Threat.
Survey results are very promising in that they indicate
organizations recognize insider threat as the most potentially damaging
component of their threat environments. Interestingly, there is little
indication that most organizations have realigned budgets and staff to
coincide with that recognition.
Losses Due To Insider Threat Are Largely Unknown
Relatively few respondents were able to quantify either real or
potential losses due to insider threat. Organizations often do not spend
money in a critical area if they cannot quantify the losses. This could
explain why insider threat is a concern but not a primary focus.
Incident Response Is Not Focused Primarily On The Insider
Despite recognition of insiders as a common and vulnerable point
of attack, fewer than 20% of respondents reported having a formal
incident response plan that deals with insider threat. The primary focus
of incident response is to recover from an adverse event. Incident
response plans that are focused on external threats might explain why
many organizations struggle to respond to incidents involving insiders.
Detection Of Insider Threat Is Still Not Effective.
More than 60% of the respondents claimed they have never
experienced an insider threat attack. This result is very misleading. It
is important to note that 38% of the respondents said they do not have
effective ways to detect insider attacks, meaning the real problem may
be that organizations are not properly detecting insider threats, not
that they are not happening.
Organizations Must Deal With Both Malicious And Accidental Insider
When most people hear the term insider threat, they typically think of
the malicious insider, who is purposely causing harm to an organization.
Although this type of insider will always be a concern, the bigger
threat to most organizations is the accidental insider—a legitimate user
whose login has been stolen or who has been manipulated into giving an
attacker access through other means. It is possible that respondents did
not consider those compromised insiders as being part of what is
considered an insider threat. Respondents to the survey most frequently
cited malicious employees (43%) as their biggest concern. It is
promising, however, that the accidental or negligent insider is a very
close second (at 39%), which means organizations are focusing more
resources in the correct area
GAO Report On
Insider Threat From Federal Workers
- February 14, 2017
The GAO released a
report about the the Cyber Insider Threat titled; CYBERSECURITY -
Actions Needed To Strengthen U.S. Capabilities
The report points a finger at "Insider Threats" from federal workers on
the government's vast cyber and computer system, joining
"foreign nations" as a danger to sensitive and classified information
and even personal info.
The GAO also declared frustration with the Obama administration in its
new report, over its failure to implement 1,000 security fixes needed to
close the door to hackers, inside and out. In testimony to Rep. Barbara
Comstock's subcommittee in February 2017, Gregory Wilshusen, director of
information security issues for GAO, hit the government for failing to
act on 1,000 of 2,500 cybersecurity recommendations it has made.
The GAO report, requested by Rep. Barbara Comstock, the northern
Virginia Republican who represents thousands of federal workers, is
blunt in its assessment of the threats to cybersecurity.
"Federal systems and networks are also often interconnected with other
internal and external systems and networks including the Internet,
thereby increasing the number of avenues of attack and expanding their
attack surface," said the report.
"Risks to cyber assets can originate from unintentional and intentional
threats. These include insider threats from disaffected or careless
employees and business partners, escalating and emerging threats from
around the globe, the steady advances in the sophistication of attack
technology, and the emergence of new and more destructive attacks," it
added, pointing a finger to federal insiders.
About Insider Threats At US Airports - House Homeland Security Committee
February 6, 2017
The House Homeland
Security Committee Majority Staff has issued a report entitled
‘America’s Airports: The Threat From Within’ that examines employee
screening at the approximately 450 airports in the U.S. under federal
control and found that “much more needs to be done to improve the state
of access controls and mitigate the insider threat facing America’s
According to the 21-page report: Approximately 900,000 people work at
these airports, and many are able to bypass traditional screening
requirements that travelers visiting the airports must endure. While the
overwhelming majority of these airport workers take the inherent
responsibility seriously, there are increasing concerns that insider
threats to aviation security are on the rise.
The report – the result of an investigation conducted by Transportation
and Protective Security Subcommittee – continued: The Subcommittee has
worked closely with the Transportation Security Administration (TSA) and
the aviation stakeholder community to examine how we can work together
to improve access controls and employee screening at our nation’s
“The recommendations outlined in this report, along with the
requirements of the Aviation Employee Screening and Security Enhancement
Act of 2017, which I introduced today, will serve as a roadmap for TSA,
airports, and air carriers to close security vulnerabilities at our
nation’s airports,” Subcommittee Chairman John Katko (R-NY) stated in a
press release about the report.
The Subcommittee “found that a majority of airports do not have full
employee screening at secure access points” and that these airports “are
unable to demonstrate the security effectiveness of their existing
employee screening efforts, which consist largely of randomized
screening by TSA officers or airport law enforcement personnel,”
according to the press release.
The report made nine recommendations that include examining the costs
and feasibility of expanded employee screening, educating aviation
workers on their role in mitigating insider threats, targeting the use
of employee screening to be more strategic, and implementing the Federal
Bureau of Investigation’s (FBI) RapBack Service for all credentialed
aviation worker populations.
Recent examples of insider threats discussed in the report include an
attempt to detonate a bomb at an airport, gun and drug smuggling, and
employees who became involved in terrorist activities overseas. The
complete “America’s Airports: The Threat From Within” report is
Data Breaches Report - January 19, 2017
Data breaches in the
U.S. healthcare field cost $6.2 Billion dollars each year.
The average cost of
a single data breach across all industries is $4 Million dollars,
according to a 2016 study from IBM and Ponemon Institute.
Approximately 90% of
hospitals have reported a breach in the past two years, and most
breaches are due to employee error.
The average HIPAA
settlement fine is approximately $1.1 Million dollars.
notification costs $560,000 on average.
with lawsuits average $880,000.00.
Post data breach
cleanup costs average $440,000.00
organizations average $500,000.00 in lost brand value after a data
breach, with some estimates reaching $50 Million dollars as an average
amount in lost brand value.
Kroll Annual Global Fraud And Risk Report
- 2016 / 2017
Data 82% of
executives surveyed worldwide experienced a fraud incident in the past
year compared to 75% in 2015.
85% of executives reported
at least one cyber incident and over two-thirds reported security
Fraud, cyber, and security
incidents are now the “new normal” for companies across the world,
according to the executives surveyed for the report, highlighting the
escalating threat to corporate reputation and regulatory compliance.
concerns about external attacks, the findings reveal that the most
common perpetrators of fraud, cyber, and security incidents over the
past 12 months were current and former employees.
Six out of ten respondents
(60%) who worked for companies that suffered from fraud identified a
combination of perpetrators that included current employees, former
employees, and third parties. Almost half (49%) said incidents involved
all three groups. Junior staff were cited as key perpetrators in
two-fifths (39%) of fraud cases, followed by senior or middle management
(30%) and freelance or temporary employees (27%). Former employees were
also identified as responsible for 27% of incidents reported.
Overall, 44% of
respondents reported that Insiders were the primary perpetrators of a
cyber incident, with former employees the most frequent source of risk
(20%), compared to 14% citing freelance or temporary employees and 10%
citing permanent employees.
Adding agents or
intermediaries to this “Insider” group as quasi-employees increases the
proportion of executives indicating Insiders as the primary perpetrators
to a majority, 57%.
Over half of respondents
(56%) said Insiders were the key perpetrators of security incidents,
with former employees again the most common of these (23%).
KPMG Report - Global
Profiles Of The Fraudster
In a recent research report by KPMG, Global Profiles of the
Fraudster, fraud is a global issue. It harms corporate reputations,
costs millions and ruins lives. It's a heavy economic and moral burden
on society. This report analyzed profiles of 750 cyber-crooks
investigated by forensic specialists across 81 countries, and produced
what it calls the "New Face Of Fraud"'
Some Of The
Interesting Facts From This Report
69% Were Between The Ages
of 36 and 55
65% Were Employed By The
Company That Was Hacked
35% Were Executives Or
38% Had Been With The
Company For At Least Six Years
38% Described Themselves
As Well-Respected In Their Company
62% Colluded With Others
In Their Crimes
How Is Insider Fraud
Accomplished And Why?
Creation Of False Or
Misleading Information In Accounting Records : 24%
False Or Misleading
Information Via Email Or Another Messaging Platform: 20%
Abuse Permissible Access
To Computer Systems: 13%
The report highlights
technology as one of the key elements involved in white-collar crimes
across the globe.
While personal gain was
the predominant overriding motivation for committing fraud (60%), the
sense of “Because I Can” was third at 27%, according to the report.
Association Of Computer
Fraud Examiners Fraud Report
The total loss caused by
the cases in our study exceeded $6.3 billion, with an average loss per
case of $2.7 million.
Fraud perpetrators tended
to display behavioral warning signs when they were engaged in their
crimes. The most
common red flags were living beyond means, financial difficulties,
unusually close association with a vendor or customer, excessive control
issues, a general “wheeler-dealer” attitude involving unscrupulous
behavior, and recent divorce or family problems. At least one of these
red flags was exhibited during the fraud in 78.9% of cases.
The most prominent
organizational weakness that contributed to the frauds in our study was
a lack of internal controls, which was cited in 29.3% of cases, followed
by an override of existing internal controls, which contributed to just
over 20% of cases.
The more individuals
involved in an occupational fraud scheme, the higher losses tended to
be. The median loss caused by a single perpetrator was $85,000. When two
people conspired, the median loss was $150,000; three conspirators
caused $220,000 in losses; four caused $294,000; and for schemes with
five or more perpetrators, the median loss was $633,000.
More occupational frauds
originated in the accounting department (16.6%) than in any other
business unit. Of the frauds we analyzed, more than three-fourths were
committed by individuals working in seven key departments: accounting,
operations, sales, executive/upper management, customer service,
purchasing, and finance.
In cases detected by tip
at organizations with formal fraud reporting mechanisms, telephone
hotlines were the most commonly used method (39.5%). However, tips
submitted via email (34.1%) and web-based or online form (23.5%)
combined to make reporting more common through the Internet than by
Verizon Data Breach Investigations Report
Humans Remain The Weakest Link
According to the report authors,
cybercriminals are continuing to exploit human nature as they rely on
familiar attack patterns such as phishing. However, 'Miscellaneous
errors' by end users of an organization took the top spot for security
incidents in this year's report.
“These can include improper disposal of company information,
misconfiguration of IT systems, and lost and stolen assets such as
laptops and smartphones,” Verizon said. The report found that 26% of
these errors involved people mistakenly sending sensitive
information to the wrong person. "You might say our findings boil down
to one common theme -- the human element," said Bryan Sartin, executive
director of global security services, Verizon Enterprise Solutions.
"Despite advances in information security research and cyber detection
solutions and tools, we continue to see many of the same errors we've
known about for more than a decade now".
Contrary to what some people think, it’s rarely system administrators or
developers with elevated privileges that fall victim. End users account
for a third of insider misuse. Attacks are typically motivated by money:
34% of breaches involving misuse were motivated by financial
gain—although a quarter (25%) can be linked with espionage, such as the
theft of intellectual property.
Only a small percentage (14%) are in
leadership roles (executive or other management), or in roles with
elevated access privilege jobs such as system administrators or
developers (14%). The moral of the story is to worry less about job
titles and more about the level of access that every Joe or Jane has
(and your ability to monitor them).
Corporations More Concerned With Disgruntled Employee Than Hackers
Fox News Video-2015
Defense Contract Management Agency - Malicious Or Accidental Insider
Threats Have Caused More Problems In DoD
According to the US Defense Contract Management Agency (DCMA)’s director
of operations, the Department of Defense has positioned itself quite
strongly against external cyber threats, but malicious or accidental
insider threats have caused more problems. This was largely because
people within agencies largely “do what they want” and see security as a
form of interference, he said. Additionally, some of the younger
employees have “skills to successfully work around security protocols.”
Verizon Data Breach Investigations Report
90 % Of All Cyber Security Incidents Involve People
Although many people think cybersecurity simply involves preventing
malicious outsiders from accessing corporate networks, the 2015 Verizon
Data Breach Investigations Report (DBIR) confirms that the “common
denominator across … nearly 90 percent of all cyber security incidents
is people…whether it’s goofing up, getting infected, behaving badly, or
losing stuff….”. Over the past 11 years, 96% of all security incidents
fell into 9 patterns. The top 4 patterns involve human error or misuse.
Experian Report: Insiders Still Top Breach Threat
Michael Bruemmer of Experian Data Breach Resolution states; "Whether
it's a true malicious insider, or just employee negligence, 80 percent
of the breaches we've worked so far in 2015 have been [caused by]
employees ... and I don't think that's going to change in the healthcare
field and other fields."
Ponemon Institute Reports Employee Negligence Leading Cause of Insider
Threats - Could Cost A Company Up To $1.5 Million - 2015
Employee negligence, which may be caused by multitasking and working
long hours, can result in insider threats and cost companies millions of
dollars each year. It can cost a U.S. company as much as $1.5 million
and Germany companies €1.6 million in time wasted responding to security
incidents caused by human error, according to a new survey of IT and IT
security practitioners in the U.S. and Germany. The survey, commissioned
by Raytheon / Websense and independently conducted by the information
security industry leader Ponemon Institute, also revealed that 70
percent of U.S. survey respondents and 64 percent of German respondents
report that more security incidents are caused by unintentional mistakes
than intentional and/or malicious acts.
Mandiant Cybersecurity Firm Reports 100% Of Most Recent Incidents
Involved Some Form OF Insider Threat
Insider Threats To Credit Unions Survey
surveyed financial institutions admit their biggest concern is
confidential information transferred to unauthorized recipients.
say they are worried about sensitive data being transferred by use
of removable media.
all credit unions surveyed said they do not believe or were unsure
if they had complete protection regarding internal data threats.
stated they already have security controls in place.
Insider Threats To Healthcare Report
102 U.S.-based healthcare IT decision makers surveyed said their
organizations are either "somewhat" or more vulnerable to insider
felt "very" or "extremely" vulnerable to insider threats.
healthcare organizations experienced a data breach or failed a
compliance audit in the past year.
healthcare IT decision makers said their organizations are planning
to increase spending to offset data threats.
FBI / Department of Homeland Security
recent (2014) FBI and Department of Homeland Security alert
that employees with an ax to grind are increasingly using Internet
cloud services and other computer tools to hack their current or
Companies victimized by current or former employees incur costs from
$5,000 to $3 million.
According to the FBI our nation’s secrets are in jeopardy,
the same secrets that make a company profitable. The
FBI estimates billions of U.S. dollars are lost to foreign
competitors every year. These foreign competitors deliberately
target economic intelligence in advanced technologies and
flourishing U.S. industries. External data breaches by cyber
criminals get a lot of attention, but
frequently insiders are recruited by foreign competitors to gather
and steal a
Spectorsoft Insider Threat Survey
- 2014, 2015
the 772 IT security professionals surveyed said they're concerned
about insider threats from negligent or malicious employees.
said they have no ability to prevent an insider breach.
said insider threat detection and prevention isn't a priority in
respondents said they don't know how much they currently spend on
solutions to mitigate insider threats.
said they don't know how much they plan to spend on such solutions
in the next 12 months.
respondents said they currently have an incident response plan in
place, but more than half of those respondents said that plan has no
special provisions for insider threats.
survey respondents said they didn't know what their losses might
amount to in the case of an insider breach.
SolarWinds Survey Investigates Insider Threats
to Federal Cybersecurity
More than half (53%) of federal IT Pros
identified careless and untrained insiders as the greatest source of
IT security threats at their agencies, up from 42 percent last year.
Nearly two-thirds (64%) believe malicious
insider threats to be as damaging as or more damaging than malicious
external threats, such as terrorist attacks or hacks by foreign
Further, 57 percent believe breaches caused by
accidental or careless insiders to be as damaging as or more
damaging than those caused by malicious insiders.
Nearly half of respondents said government
data is most at risk of breach from employees' or contractors'
desktops or laptops. Top causes of accidental insider breaches
include phishing attacks (49%), data copied to insecure devices
(44%), accidental deletion or modification of critical data (41%)
and use of prohibited personal devices (37%).
Vormetric Insider Threat Report
93% of U.S.
respondents said their organizations were somewhat or more
vulnerable to insider threats.
59% of U.S.
respondents believe privileged users pose the biggest threat to
Preventing a data
breach is the highest or second highest priority for IT security
spending for 54% of respondents’ organizations.
46% of U.S.
respondents believe cloud environments are at the greatest risk for
loss of sensitive data in their organization, yet 47% believe
databases have the greatest amount of sensitive data at risk.
44% of U.S.
respondents say their organization had experienced a data breach or
failed a compliance audit in the last year.
34% of U.S.
respondents say their organizations are protecting sensitive data
because of a breach at a partner or a competitor.
U.S. State Of Cyber Crime Survey
The incidents that
typically fly under the media radar are insider events.
28% of respondents pointed the finger at
which includes trusted parties such as current and former employees,
service providers, and contractors.
32% say insider
crimes are more costly or damaging than incidents perpetrated by
outsiders. The larger the business, the more likely it is to consider
insiders a threat; larger businesses also are more likely to
recognize that insider incidents can be more costly and damaging.
49% of all respondents have a plan for responding to insider
Occupational Fraud And Abuse Report By The Association Of Certified
Fraud Examiners (ACFE)
Companies lose 5
percent of revenue each year to fraud, which amounts to nearly
$3.7 trillion globally.
The report pegged
the median loss from fraud at $145,000. More than 1 in 5 of the
almost 1,500 cases analyzed in more than 100 countries had
employees walking away with at least $1 million.
Report On Personnel Security Clearances
Accountability Office (GAO)
the eligibility of individuals accessing classified information.
Access to classified
information was revoked in 2009-2013 for more than 18,500 military
and civilian employees and contractors working for the Department of
Defense (DoD), according to an audit. (16,000 Military-Civilian Employees
And For 2,500 contractors).
The report examined
the most common reasons for revoking clearances by the DoD for
fiscal year 2013. The top causes for civilian and military personnel
were criminal conduct, involvement with drugs and personal
conduct. Top reasons for contractors were financial considerations
and personal and criminal conduct.
The report also
examined revocations by the Department of Homeland Security (DHS),
although only for fiscal year 2013. About 125,000 DHS civilian and
military employees were eligible to access classified information as
of March 2014. DHS revoked eligibility for 113 personnel
during fiscal year 2013 the report said.
Training And Budget To Mitigate Insider Threats
A Worst Practices Guide To Insider Threats - Lessons From Past Mistakes
GAO Report: Insider Threats In The DoD - June 2015
DoD Insider Threat Mitigation Report - 2000
PERSEREC: Espionage By Americans From 1947-2007
PERSEREC: Espionage Case Summaries From 1975-2008
Insider Threat Risk Mitigation Requires Senior Management Support
Management must address the questions below if they are serious
about mitigating the Insider Threat and protecting an organization
your organization given serious consideration into what employees
are really doing with the organization’s most critical information?
your organization have visibility into its employees actions on your
information systems, databases and networks that store intellectual
property, proprietary information and sensitive information?
your company afford to loose its critical market share and let this
information get into the hands of your competitors?
the loss of this information cause your company bad publicity,
damage to your company's reputation and stock prices, cause your
company to face legal action, or put your company out of business?