Insider Threat Surveys, Reports, Incidents, Damages



How Damaging And Costly Can An Insider Threat Incident Be?

Not all incidents by Insiders are malicious. Non-Malicious Insider incidents can be just as damaging as malicious incidents. Listed on the links below are numerous Insider Threat incidents that have been very costly and damaging to organizations.

These incidents should provide a clear business case for the necessary C-Suite Buy-In and Security Investments ($$$) needed for Insider Threat Programs / Insider Threat Mitigation.

Employee Sabotages Company's Network Servers
When Mitchell learned he was going to be fired in June of 2012 from the oil and gas company EnerVest Operating, he “remotely accessed EnerVest’s computer systems and reset the company’s network servers to factory settings, essentially eliminating access to all the company’s data and applications for its eastern United States operations,” a Department of Justice spokesperson wrote in a release on his conviction. “Before his access to EnerVest’s offices could be terminated, Mitchell entered the office after business hours, disconnected critical pieces of…network equipment, and disabled the equipment’s cooling system.” As a result of his actions, the company permanently lost some of its data and spent hundreds of thousands of dollars repairing equipment and recovering historical data. It took a month to bring the company’s office back online, costing the company as much as $1 million in lost business.

Home Depot’s Former Security Architect Had History Of Techno-Sabotage



Insider Threat Incidents Listings

Could your organization recover from the severe impacts an Insider Threat incident could cause?

National Insider Threat Special Interest Group
Insider Threat Incident Listings - 1

National Insider Threat Special Interest Group On LinkedIn (Need To Request Access / Free)
Insider Threat Incident Listings - 2

Insider Threat Defense Group
Insider Threat Incident Listings - 3

Insider Threat Defense Group On Twitter
Insider Threat Incident Listings - 4

Insider Threat E-Magazine On Flipboard
Insider Threat Incident Listings - 5

Department Of Justice Insider Threat Incident Listings

FBI Counterintelligence / Espionage / Insider Threat Incidents

Department Of Defense Counterintelligence / Espionage / Insider Threat Incidents

Defense Security Service - Insider Threat Case Studies

These case studies for Counterintelligence, Information Security and Insider Threat, provide an overview of the perpetrator, indicators, what happened and the impacts. (Link)



NITSIG Workplace Violence E-Magazine

Read through this on-line resource to on Workplace Violence Incidents that have affected government and businesses. (Link)


Workplace Violence - The Type Of Insider Threat Requiring Much Great Attention

  • Unfortunately very disgruntled employees "Insiders" have resorted to workplace violence, in some cases resulting in the deaths of innocent coworkers. A company that ignores the warnings signs could face legal action.

  • According to the Occupational Safety and Health Administration (OSHA), approximately 2 million employees are victims of workplace violence each year. 18% of violent crimes are committed at the workplace, and roughly 800 workplace homicides occur each year. Between January 2009 and July 2015, there were 133 mass shootings in the workplace and shootings account for 78 % of all workplace homicides. Violence in the workplace must be a top concern for employers, as no organization is immune from workplace violence and no organization can completely prevent it. (Source)

  • A robust and effective Insider Threat Program will train Security Professionals, Supervisors, Managers and Employees to identify "Behavioral Indicators" that are warning signs for workplace violence, including employees who do not accept criticism and express anger and blame others for their own poor performance; unexplained increase in absenteeism; increased and severe mood swings and noticeably unstable or emotional responses; frequent loss of temper; personality conflicts with co-workers; increasing dialog about problems at home, including marital, family or financial struggles; increase in unsolicited comments about violence, firearms and violent crimes; increased use of alcohol or illegal drugs; exhibiting signs of depression and withdrawal; and experiencing a traumatic event.

Insider Threat Reports / Surveys


Global Study Reveals Majority Of Visual Hacking Attempts Are Successful

Organizations around the world are at risk of sharing highly sensitive information through visual hacking in business office environments.

This risk was revealed in the 2016 Global Visual Hacking Experiment, an expansion of the 2015 Visual Hacking Experiment conducted in the United States by Ponemon Institute and sponsored by 3M Company.

The global study included trials in China, France, Germany, India, Japan, South Korea and the United Kingdom. The combined results found that sensitive information was successfully captured in 91% of visual hacking attempts globally. (Experiment Results)

The experiments involved 157 trials with 46 participating companies across the eight countries. They exposed low-tech hacking methods as a significant risk to corporations around the world. The findings revealed that organizations need to create awareness among employees on protecting data displayed on device screens, as 52% of the sensitive information captured during the experiments came from employee computer screens.

In the experiments, a "White Hat Visual Hacker" (WHVH) assumed the role of temporary office worker and was assigned a valid security badge worn in visible sight. The WHVH attempted to visually hack sensitive or confidential information using three methods:

  • Walking through the office scouting for information in full view on desks.

  • Observing computer monitor screens and other indiscrete locations like printers and copy machines.

  • Taking a stack of business documents labeled as confidential off a desk and placing it into a briefcase

  • Using a smartphone to take a picture of confidential information displayed on a computer screen.

All of the methods above were completed in front of other office workers at each participating company. In 68 % of the hacking attempts, office personnel did not question or report the visual hacker even after witnessing unusual or suspicious behavior. (Source)




DoD PERSEREC Report - A Strategic Plan To Leverage The Social & Behavioral Sciences To Counter the Insider Threat - 2018

In 2016, the Office of the Under Secretary of Defense for Intelligence partnered with the Defense Personnel and Security Research Center (PERSEREC) to design a comprehensive research plan and strategy to integrate the social and behavioral sciences (SBS) into the DoD counter-insider threat mission space.

PERSEREC completed 59 interviews with 66 SMEs who represented 45 organizations: 10 private sector companies, nine Defense Agencies, nine non-DoD federal agencies, seven federally funded research and development centers (FFRDC) and university affiliated research centers (UARC), four military Services, four DoD Field Activities, one Defense Joint Activity, and one Combatant Command. (Source)




Aviation Insider Threat Team Report - 2018




Dtex 2018 Insider Threat Intelligence Report - 2018
What Malicious / Negligent Behaviors Are Your Employees Displaying?

The report data was drawn from the User Threat Assessments conducted on Dtex customers and prospective customers around the world. These organizations spanned a wide variety of countries and industries, and ranged in size from midsize businesses to large multinational corporations

The goal of the report was to highlight key trends in both malicious and negligent behaviors by employees, contractors, and partners that use corporate systems.

The report found that "Negligent" or "Poorly Trained" employees are by far the most common risk to sensitive data, confirming that employees are not taking responsibility for organizational security, even if they don’t realize that they’re doing anything wrong.

Key Findings

Threat Actors

  • 72% of assessments found unauthorized use of high-risk applications, including hacking tools.

  • 78% of assessments found company data publicly accessible online, in a 14% increase from last year.

  • 60% of assessments found users actively attempting to bypass security measures through private or anonymous browsers and research.

  • 90% of assessments found company data being transferred to unencrypted USB devices, in a 5% decrease from last year.


Verizon Protected Health Information Data Breach Report - 2018

The 1,368 incidents that underpin this report are a subset of the data behind the annual Verizon Data Breach Investigations Report.

Healthcare is the only industry in which internal actors (Insiders) are the biggest threat to an organization. Medical device hacking may create media hype but the assets most often affected in breaches are databases and paper documents.

Basic security measures are still not being implemented. Lost and stolen laptops with unencrypted PHI continue to be the cause of breach notifications.

Incidents In This Report Met One Or More Of The Following Requirements:

Threat Actors

  • The industry was healthcare

  • The data type disclosed or at risk was medical records

  • The data subject victim relationship was patient

Threat Actors

  • 57.5% of incidents involved Insiders

  • 42.0% of incidents involved external in nature

  • 5.9% of the incidents involved partners of the business / organization

  • 5.1% of the incidents involved collusion


Ponemon Institute Study - The True Cost of Insider Threats Revealed - 2018
This global study reports on what companies have spent to deal with a data breach caused by a careless or negligent employee or contractor, criminal or malicious insider or a credential thief. While the negligent insider is the root cause of most breaches, the bad actor who steals employees’ credentials is responsible for the most costly incidents.

The first study on the cost of insider threats was conducted in 2016 and focused exclusively on companies in the United States. In this year’s benchmark study, 717 IT and IT security practitioners in 159 organizations in North America (United States and Canada), Europe, Middle East and Africa, and Asia-Pacific were interviewed.

According to the research, if the incident involved a negligent employee or contractor, companies spent an average of $283,281. The average cost more than doubles if the incident involved an imposter or thief who steals credentials ($648,845). Hackers cost the organizations represented in this research an average of $607,745 per incident.

Ponemon Institute concludes that companies need to intensify their efforts to minimize the insider risk because of rising costs and frequency of incidents. Since 2016 the average number of incidents involving employee or contractor negligence has increased from 10.5 to 13.4. The average number of credential theft incidents has tripled over the past two years, from 1.0 to 2.9. In addition, these incidents are not resolved quickly. Our analysis revealed that it took the companies in our study more than two months on average to contain an insider incident. Only 16 percent of incidents were contained in less than 30 days.





Association Of Computer Fraud Examiners Fraud Report - 2018

This report is a study of 2,690 cases of occupational fraud investigated by Certified Fraud Examiners (CFEs) between January 2016 and October 2017.


58% of cases were referred to law enforcement. Over the past decade, fewer and fewer fraud cases were referred to law enforcement.

When looking at why organizations do not refer fraud to law enforcement, the top reasons cited were:
A fear of bad publicity (38%)
Internal discipline considered sufficient (33%)
Concern it would be too costly (24%).

Other findings include that the typical employee fraud case causes a loss of $130,000 and lasts 16 months. Losses caused by male fraudsters were 75% larger than losses caused by female fraudsters, and internal control weaknesses facilitated nearly half of the frauds.





Insider Threat Survey - 2018
This research is based on the results of a comprehensive online survey of 472 cybersecurity professionals to gain deep insight into the insider threat faced by organizations and the solutions to detect, remediate, and prevent it. The respondents range from technical executives to managers and IT security practitioners, representing organizations of varying sizes across all industries.

90% of organizations feel vulnerable to insider attacks. The main enabling risk factors include too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the increasing complexity of information technology (35%).

A 53% majority have confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). 27% of organizations say insider attacks have become more frequent.

Organizations are shifting their focus on detection of insider threats (64%), followed by deterrence methods (58%), and analysis and post breach forensics (49%). The use of user behavior monitoring is accelerating; 94% of organizations deploy some method of monitoring users and 93% monitor access to sensitive data.

The most popular technologies to deter insider threats are Data Loss Prevention (DLP), encryption, and identity and access management solutions. To better detect active insider threats, companies deploy Intrusion Detection Prevention Solutions (IDPS), log management and SIEM platforms.

The vast majority (86%) of organizations already have or are building an Insider Threat Program. 36% have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.





Harvey Nash / KPMG Global Survey Of 4500 CIOs - Tech Leaders - Insider Threat Fastest Growing Threat - 2017
External Hackers are not the only threat your business or organization may be facing. One of your biggest risks comes from your own employees. This survey finds that the insider threat problem is the fastest-growing one of all. Source




Hiscxo Embezzlement Study - 2017
To find out who’s stealing from small businesses, Hiscox examined publicly available data on U.S. federal court activity related to employee fraud. Perhaps surprisingly, it turns out that women embezzle more frequently than men do (though only by a small percentage). The median age of this kind of criminal is 48 years old, and they most likely work in a finance or accounting role.


Another surprising fact is that instances of embezzlement at companies of all sizes may last longer than you might think: Statistics showed that more than a quarter of embezzlement's take place for longer than five years.

While all companies face the risk of embezzlement, those that are smaller in size report the crime’s occurrence more frequently. Small businesses cope with unique struggles. For instance, a small company is more likely to hire one person to handle its money-based operations like accounting or payroll because it really doesn’t need several people for this position. However, if this one person decides to embezzle from the company, it’s much easier for him or her to hide it. To fly under the security that many companies have in place to prevent financial loss, many embezzlers engage in long-running schemes.


Employee theft schemes often go on for five years or more with the longest one reported spanning 41 years. Embezzlers get away with long-running financial schemes like these by stealing small amounts, making it tough for companies to spot them. Small losses add up, however. The average loss for long-running scams that lasted for five years or longer came to $2.2 million. In schemes that lasted 10 years or more, the average amount lost to embezzlers was $5.4 million. While financial theft happens more often in small companies, large businesses suffer higher median losses.  Source




Government Accountability Office Report: 24 Agencies Still Struggle With IT Security Weaknesses - 2017

Two dozen federal agencies continue to experience security weaknesses in five critical areas, which puts government systems and data at risk, according to a new watchdog agency report.

The Government Accountability Office says in its report new report titled Weaknesses Continue To Indicate Need for Effective Implementation of Policies and Practices, that during fiscal 2016, the agencies continued to experience weaknesses in protecting their information and information systems due to ineffective implementation of information security policies and practices.

Most of the agencies that the GAO reviewed had weaknesses in five control areas, including access controls, configuration management controls, segregation of duties, contingency planning and agency wide security management, the report notes.
The problems have been recurring issues for many of the agencies, the report adds.

Yet evaluations by the GAO and agency inspectors determined that most agencies
did not have effective Information Security Programs, the report notes.

The watchdog agency adds that it did not make any new recommendations to address the issues because GAO and agency inspector generals "have made hundreds of recommendations to address these security control deficiencies, but many have not yet been fully implemented."

Until agencies correct longstanding control deficiencies and address the previous recommendations, "federal IT systems will remain at increased and unnecessary risk of attack or compromise. We continue to monitor the agencies' progress on those recommendations."

A robust and effective Insider Threat Program, requires that organizations have an effective Security / Information / Information Systems Security Program.

  • Weak Governance And Security = Exploitable Weaknesses By Insiders

  • It Starts At The Top Of An Organization: Lack Of Understanding Insider Threat Risks At Corporate Level

  • Poor Communication Between Critical Business Departments (HR, IT, Security) And Supervisors Regarding Employee Trustworthiness / Threat

  • Poor Facility Security Controls (Facility Access, Facilities Bag Checks (In & Out), No BYOD Policy / Electronic Device Policy)

  • Poor Goverance (Lack Of Security Policies, Procedures. No Sancitions For Security Policy Violations)

  • Poor Organizational Security Culture (Weak Or Absent Security Briefings For New Hires, Contractors)

  • Poor Personnel Management Practices (Pre-Employment Screening, Position Re-Assignment, Employee Continuous Monitoring For Trustworthiness, Seperation-Termination Procedures, Etc.)

  • Lack Of Identifying-Protecting Crown Jewels / Intellectual Property

  • Lack Of Secure Configurations For Information Systems (Workstations / Servers)

  • Lack Of Secure Configurations For Software Applications

  • Lack Of IT Configuration Management

  • Lack Of User Activity Monitoring For IT Networks

  • Lack Of Cyber Threat - Insider Threat Awareness Training For Employees

  • Lack Of Insider Threat Risk Mitigation Training For IT-Network Security Professionals

  • Poor Practices Related To The Acquisition Of Hardware, Software (Are Security Risks Addressed?)

  • Poor Practices Related The Use Of Outside IT Contracting Services And Other Contracting Services (When Outsiders Become Insiders)


Measurable Damage From Data Breaches - Cisco Report - 2017

A business should pay close attention to a 2017 report that was released from Cicso concerning damages from data breaches. The report provides insights based on threat intelligence gathered by Cisco's security experts, combined with input from nearly 3,000 Chief Security Officers (CSOs) and other security operations leaders from businesses in 13 countries.

According to the Cisco report, organizations that suffered a breach, the effect was substantial: 22% of breached organizations lost customers, 40% of them lost more than a fifth of their customer base, 29% lost revenue, with 38% of that group losing more than a fifth of their revenue, and 23% of breached organizations lost business opportunities, with 42% of them losing more than a fifth of such opportunities.





DoD PERSEREC Report - The Expanding Spectrum Of Espionage By Americans 1947 - 2015

This report is the fourth in the series on espionage by Americans that the Defense Personnel and Security Research Center (PERSEREC) began publishing in 1992. The current report updates the scope of earlier work by including recent cases, and it extends the scope by exploring related types of espionage in addition to the classic type.

There Are 3 Parts Of The Report
Part 1
- Presents findings on characteristics of Americans who committed espionage-related offenses since 1947. The findings are based on analyses of data collected from open sources.

Part 2 - Explores the five types of espionage committed by the 209 individuals in this study: classic espionage, leaks, acting as an agent of a foreign government, violations of export control laws, and economic espionage. Each type is described by its legal bases; examples of cases and comparisons with the other types of espionage are provided.

Part 3 - Considers the impact of the context in which espionage takes place, and discusses two important developments: (1) information and communications technologies (ICT), and (2) globalization.



Defending Against the Wrong Enemy: SANS Insider Threat Survey - 2017

Organizations Recognize The Importance Of Insider Threat.
Survey results are very promising in that they indicate organizations recognize insider threat as the most potentially damaging component of their threat environments. Interestingly, there is little indication that most organizations have realigned budgets and staff to coincide with that recognition.

Losses Due To Insider Threat Are Largely Unknown
Relatively few respondents were able to quantify either real or potential losses due to insider threat. Organizations often do not spend money in a critical area if they cannot quantify the losses. This could explain why insider threat is a concern but not a primary focus.

Incident Response Is Not Focused Primarily On The Insider
Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20% of respondents reported having a formal incident response plan that deals with insider threat. The primary focus of incident response is to recover from an adverse event. Incident response plans that are focused on external threats might explain why many organizations struggle to respond to incidents involving insiders.

Detection Of Insider Threat Is Still Not Effective.
More than 60% of the respondents claimed they have never experienced an insider threat attack. This result is very misleading. It is important to note that 38% of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening.

Organizations Must Deal With Both Malicious And Accidental Insider Threats
When most people hear the term insider threat, they typically think of the malicious insider, who is purposely causing harm to an organization. Although this type of insider will always be a concern, the bigger threat to most organizations is the accidental insider—a legitimate user whose login has been stolen or who has been manipulated into giving an attacker access through other means. It is possible that respondents did not consider those compromised insiders as being part of what is considered an insider threat. Respondents to the survey most frequently cited malicious employees (43%) as their biggest concern. It is promising, however, that the accidental or negligent insider is a very close second (at 39%), which means organizations are focusing more resources in the correct area. Source


GAO Report On Insider Threat From Federal Workers - February 14, 2017
The GAO released a report about the the Cyber Insider Threat titled; CYBERSECURITY - Actions Needed To Strengthen U.S. Capabilities

The report points a finger at "Insider Threats" from federal workers on the government's vast cyber and computer system, joining "foreign nations" as a danger to sensitive and classified information and even personal info.

The GAO also declared frustration with the Obama administration in its new report, over its failure to implement 1,000 security fixes needed to close the door to hackers, inside and out. In testimony to Rep. Barbara Comstock's subcommittee in February 2017, Gregory Wilshusen, director of information security issues for GAO, hit the government for failing to act on 1,000 of 2,500 cybersecurity recommendations it has made.

The GAO report, requested by Rep. Barbara Comstock, the northern Virginia Republican who represents thousands of federal workers, is blunt in its assessment of the threats to cybersecurity.

"Federal systems and networks are also often interconnected with other internal and external systems and networks including the Internet, thereby increasing the number of avenues of attack and expanding their attack surface," said the report.

"Risks to cyber assets can originate from unintentional and intentional threats. These include insider threats from disaffected or careless employees and business partners, escalating and emerging threats from around the globe, the steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks," it added, pointing a finger to federal insiders.





Increasing Concern About Insider Threats At US Airports - House Homeland Security Committee Report - February 6, 2017

The House Homeland Security Committee Majority Staff has issued a report entitled ‘America’s Airports: The Threat From Within’ that examines employee screening at the approximately 450 airports in the U.S. under federal control and found that “much more needs to be done to improve the state of access controls and mitigate the insider threat facing America’s aviation sector.”

According to the 21-page report: Approximately 900,000 people work at these airports, and many are able to bypass traditional screening requirements that travelers visiting the airports must endure. While the overwhelming majority of these airport workers take the inherent responsibility seriously, there are increasing concerns that insider threats to aviation security are on the rise.

The report – the result of an investigation conducted by Transportation and Protective Security Subcommittee – continued: The Subcommittee has worked closely with the Transportation Security Administration (TSA) and the aviation stakeholder community to examine how we can work together to improve access controls and employee screening at our nation’s airports.

“The recommendations outlined in this report, along with the requirements of the Aviation Employee Screening and Security Enhancement Act of 2017, which I introduced today, will serve as a roadmap for TSA, airports, and air carriers to close security vulnerabilities at our nation’s airports,” Subcommittee Chairman John Katko (R-NY) stated in a press release about the report.

The Subcommittee “found that a majority of airports do not have full employee screening at secure access points” and that these airports “are unable to demonstrate the security effectiveness of their existing employee screening efforts, which consist largely of randomized screening by TSA officers or airport law enforcement personnel,” according to the press release.

The report made nine recommendations that include examining the costs and feasibility of expanded employee screening, educating aviation workers on their role in mitigating insider threats, targeting the use of employee screening to be more strategic, and implementing the Federal Bureau of Investigation’s (FBI) RapBack Service for all credentialed aviation worker populations.

Recent examples of insider threats discussed in the report include an attempt to detonate a bomb at an airport, gun and drug smuggling, and employees who became involved in terrorist activities overseas. The complete “America’s Airports: The Threat From Within” report is available online.




Healthcare Data Breaches Report - January 19, 2017


  • Data breaches in the U.S. healthcare field cost $6.2 Billion dollars each year.

  • The average cost of a single data breach across all industries is $4 Million dollars, according to a 2016 study from IBM and Ponemon Institute.

  • Approximately 90% of hospitals have reported a breach in the past two years, and most breaches are due to employee error.

  • The average HIPAA settlement fine is approximately $1.1 Million dollars.

  • Data Breach notification costs $560,000 on average.

  • Costs affiliated with lawsuits average $880,000.00.

  • Post data breach cleanup costs average $440,000.00

  • Healthcare organizations average $500,000.00 in lost brand value after a data breach, with some estimates reaching $50 Million dollars as an average amount in lost brand value.

  • Source


Kroll Annual Global Fraud And Risk Report - 2016 / 2017


  • Data 82% of executives surveyed worldwide experienced a fraud incident in the past year compared to 75% in 2015.

  • 85% of executives reported at least one cyber incident and over two-thirds reported security incidents.

  • Fraud, cyber, and security incidents are now the “new normal” for companies across the world, according to the executives surveyed for the report, highlighting the escalating threat to corporate reputation and regulatory compliance.

  • Despite widespread concerns about external attacks, the findings reveal that the most common perpetrators of fraud, cyber, and security incidents over the past 12 months were current and former employees.

  • Six out of ten respondents (60%) who worked for companies that suffered from fraud identified a combination of perpetrators that included current employees, former employees, and third parties. Almost half (49%) said incidents involved all three groups. Junior staff were cited as key perpetrators in two-fifths (39%) of fraud cases, followed by senior or middle management (30%) and freelance or temporary employees (27%). Former employees were also identified as responsible for 27% of incidents reported.

  • Overall, 44% of respondents reported that Insiders were the primary perpetrators of a cyber incident, with former employees the most frequent source of risk (20%), compared to 14% citing freelance or temporary employees and 10% citing permanent employees.

  • Adding agents or intermediaries to this “Insider” group as quasi-employees increases the proportion of executives indicating Insiders as the primary perpetrators to a majority, 57%.

  • Over half of respondents (56%) said Insiders were the key perpetrators of security incidents, with former employees again the most common of these (23%).

  • Source



KPMG Report - Global Profiles Of The Fraudster - 2016

In a recent research report by KPMG, Global Profiles of the Fraudster, fraud is a global issue. It harms corporate reputations, costs millions and ruins lives. It's a heavy economic and moral burden on society. This report analyzed profiles of 750 cyber-crooks investigated by forensic specialists across 81 countries, and produced what it calls the "New Face Of Fraud"'

Some Of The Interesting Facts From This Report

  • 69% Were Between The Ages of 36 and 55

  • 65% Were Employed By The Company That Was Hacked

  • 35% Were Executives Or Directors

  • 38% Had Been With The Company For At Least Six Years

  • 38% Described Themselves As Well-Respected In Their Company

  • 62% Colluded With Others In Their Crimes

How Is Insider Fraud Accomplished And Why?

  • Creation Of False Or Misleading Information In Accounting Records : 24%

  • False Or Misleading Information Via Email Or Another Messaging Platform: 20%

  • Abuse Permissible Access To Computer Systems: 13%

  • The report highlights technology as one of the key elements involved in white-collar crimes across the globe.

  • While personal gain was the predominant overriding motivation for committing fraud (60%), the sense of “Because I Can” was third at 27%, according to the report.

  • Source



Association Of Computer Fraud Examiners Fraud Report - 2016


  • The total loss caused by the cases in our study exceeded $6.3 billion, with an average loss per case of $2.7 million.

  • Fraud perpetrators tended to display behavioral warning signs when they were engaged in their crimes. The most common red flags were living beyond means, financial difficulties, unusually close association with a vendor or customer, excessive control issues, a general “wheeler-dealer” attitude involving unscrupulous behavior, and recent divorce or family problems. At least one of these red flags was exhibited during the fraud in 78.9% of cases.

  • The most prominent organizational weakness that contributed to the frauds in our study was a lack of internal controls, which was cited in 29.3% of cases, followed by an override of existing internal controls, which contributed to just over 20% of cases.

  • The more individuals involved in an occupational fraud scheme, the higher losses tended to be. The median loss caused by a single perpetrator was $85,000. When two people conspired, the median loss was $150,000; three conspirators caused $220,000 in losses; four caused $294,000; and for schemes with five or more perpetrators, the median loss was $633,000.

  • More occupational frauds originated in the accounting department (16.6%) than in any other business unit. Of the frauds we analyzed, more than three-fourths were committed by individuals working in seven key departments: accounting, operations, sales, executive/upper management, customer service, purchasing, and finance.

  • In cases detected by tip at organizations with formal fraud reporting mechanisms, telephone hotlines were the most commonly used method (39.5%). However, tips submitted via email (34.1%) and web-based or online form (23.5%) combined to make reporting more common through the Internet than by telephone.

  • Summary  Full Report


Verizon Data Breach Investigations Report - 2016

Humans Remain The Weakest Link


  • According to the report authors, cybercriminals are continuing to exploit human nature as they rely on familiar attack patterns such as phishing. However, 'Miscellaneous errors' by end users of an organization took the top spot for security  incidents in this year's report.

  • “These can include improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets such as laptops and smartphones,” Verizon said. The report found that 26% of these errors involved people  mistakenly sending sensitive information to the wrong person. "You might say our findings boil down to one common theme -- the human element," said Bryan Sartin, executive director of global security services, Verizon Enterprise Solutions. "Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we've known about for more than a decade now".

  • Contrary to what some people think, it’s rarely system administrators or developers with elevated privileges that fall victim. End users account for a third of insider misuse. Attacks are typically motivated by money: 34% of breaches involving misuse were motivated by financial gain—although a quarter (25%) can be linked with espionage, such as the theft of intellectual property.

  • Only a small percentage (14%) are in leadership roles (executive or other management), or in roles with elevated access privilege jobs such as system administrators or developers (14%). The moral of the story is to worry less about job titles and more about the level of access that every Joe or Jane has (and your ability to monitor them). 

  • Source



Corporations More Concerned With Disgruntled Employee Than Hackers

Fox News Video-2015




US Defense Contract Management Agency - Malicious Or Accidental Insider Threats Have Caused More Problems In DoD - 2015
According to the US Defense Contract Management Agency (DCMA)’s director of operations, the Department of Defense has positioned itself quite strongly against external cyber threats, but malicious or accidental insider threats have caused more problems. This was largely because people within agencies largely “do what they want” and see security as a form of interference, he said. Additionally, some of the younger employees have “skills to successfully work around security protocols.” (Source)



Verizon Data Breach Investigations Report  - 2015

90 % Of All Cyber Security Incidents Involve People
Although many people think cybersecurity simply involves preventing malicious outsiders from accessing corporate networks, the 2015 Verizon Data Breach Investigations Report (DBIR) confirms that the “common denominator across … nearly 90 percent of all cyber security incidents is people…whether it’s goofing up, getting infected, behaving badly, or losing stuff….”. Over the past 11 years, 96% of all security incidents fell into 9 patterns. The top 4 patterns involve human error or misuse. (Source)



Experian Report: Insiders Still Top Breach Threat - 2015
Michael Bruemmer of Experian Data Breach Resolution states; "Whether it's a true malicious insider, or just employee negligence, 80 percent of the breaches we've worked so far in 2015 have been [caused by] employees ... and I don't think that's going to change in the healthcare field and other fields."  (Source)



Ponemon Institute Reports Employee Negligence Leading Cause of Insider Threats - Could Cost A Company Up To $1.5 Million - 2015
Employee negligence, which may be caused by multitasking and working long hours, can result in insider threats and cost companies millions of dollars each year. It can cost a U.S. company as much as $1.5 million and Germany companies €1.6 million in time wasted responding to security incidents caused by human error, according to a new survey of IT and IT security practitioners in the U.S. and Germany. The survey, commissioned by Raytheon / Websense and independently conducted by the information security industry leader Ponemon Institute, also revealed that 70 percent of U.S. survey respondents and 64 percent of German respondents report that more security incidents are caused by unintentional mistakes than intentional and/or malicious acts. (Source)




Mandiant Cybersecurity Firm Reports 100% Of Most Recent Incidents Involved Some Form OF Insider Threat - 2015 (Source)




Insider Threats To Credit Unions Survey - 2015

  • 83% of surveyed financial institutions admit their biggest concern is confidential information transferred to unauthorized recipients.

  • 52% say they are worried about sensitive data being transferred by use of removable media.

  • 77% of all credit unions surveyed said they do not believe or were unsure if they had complete protection regarding internal data threats.

  • 62% stated they already have security controls in place.

  • Source



Vormetic Insider Threats To Healthcare Report - 2015

  • 92% of 102 U.S.-based healthcare IT decision makers surveyed said their organizations are either "somewhat" or more vulnerable to insider threats.

  • 49% felt "very" or "extremely" vulnerable to insider threats.

  • 48% of healthcare organizations experienced a data breach or failed a compliance audit in the past year.

  • 63% of healthcare IT decision makers said their organizations are planning to increase spending to offset data threats.

  • Source


FBI / Department of Homeland Security Alert - 2014


  • A recent (2014) FBI and Department of Homeland Security alert reported that employees with an ax to grind are increasingly using Internet cloud services and other computer tools to hack their current or former companies.

  • Companies victimized by current or former employees incur costs from $5,000 to $3 million.

  • According to the FBI our nation’s secrets are in jeopardy, the same secrets that make a company profitable. The FBI estimates billions of U.S. dollars are lost to foreign competitors every year. These foreign competitors deliberately target economic intelligence in advanced technologies and flourishing U.S. industries. External data breaches by cyber criminals get a lot of attention, but frequently insiders are recruited by foreign competitors to gather and steal a company’s data.



SANS / Spectorsoft Insider Threat Survey - 2014, 2015

  • 74% of the 772 IT security professionals surveyed said they're concerned about insider threats from negligent or malicious employees.

  • 32% said they have no ability to prevent an insider breach.

  • 28% said insider threat detection and prevention isn't a priority in their organizations.

  • 44% of respondents said they don't know how much they currently spend on solutions to mitigate insider threats.

  • 45% said they don't know how much they plan to spend on such solutions in the next 12 months.

  • 69%of respondents said they currently have an incident response plan in place, but more than half of those respondents said that plan has no special provisions for insider threats.

  • 52% of survey respondents said they didn't know what their losses might amount to in the case of an insider breach.

  • Source



SolarWinds Survey Investigates Insider Threats to Federal Cybersecurity - 2015


  • More than half (53%) of federal IT Pros identified careless and untrained insiders as the greatest source of IT security threats at their agencies, up from 42 percent last year.

  • Nearly two-thirds (64%) believe malicious insider threats to be as damaging as or more damaging than malicious external threats, such as terrorist attacks or hacks by foreign governments.

  • Further, 57 percent believe breaches caused by accidental or careless insiders to be as damaging as or more damaging than those caused by malicious insiders.

  • Nearly half of respondents said government data is most at risk of breach from employees' or contractors' desktops or laptops. Top causes of accidental insider breaches include phishing attacks (49%), data copied to insecure devices (44%), accidental deletion or modification of critical data (41%) and use of prohibited personal devices (37%).

  • (Source)



Vormetric Insider Threat Report - 2015


  • 93% of U.S. respondents said their organizations were somewhat or more vulnerable to insider threats.

  • 59% of U.S. respondents believe privileged users pose the biggest threat to their organization.

  • Preventing a data breach is the highest or second highest priority for IT security spending for 54% of respondents’ organizations.

  • 46% of U.S. respondents believe cloud environments are at the greatest risk for loss of sensitive data in their organization, yet 47% believe databases have the greatest amount of sensitive data at risk.

  • 44% of U.S. respondents say their organization had experienced a data breach or failed a compliance audit in the last year.

  • 34% of U.S. respondents say their organizations are protecting sensitive data because of a breach at a partner or a competitor.

  • (Source) (Video)



U.S. State Of Cyber Crime Survey - 2014


  • The incidents that typically fly under the media radar are insider events.

  • 28% of respondents pointed the finger at insiders, which includes trusted parties such as current and former employees, service providers, and contractors.

  • 32% say insider crimes are more costly or damaging than incidents perpetrated by outsiders. The larger the business, the more likely it is to consider insiders a threat; larger businesses also are more likely to recognize that insider incidents can be more costly and damaging.

  • Only 49% of all respondents have a plan for responding to insider threats.

  • Source



Occupational Fraud And Abuse Report By The Association Of Certified Fraud Examiners (ACFE) - 2014


  • Companies lose 5 percent of revenue each year to fraud, which amounts to nearly $3.7 trillion globally.

  • The report pegged the median loss from fraud at $145,000. More than 1 in 5 of the almost 1,500 cases analyzed in more than 100 countries had employees walking away with at least $1 million.

  • Source



GAO Report On Personnel Security Clearances - 2014


  • A Government Accountability Office (GAO) report reviewed the eligibility of individuals accessing classified information.

  • Access to classified information was revoked in 2009-2013 for more than 18,500 military and civilian employees and contractors working for the Department of Defense (DoD), according to an audit. (16,000 Military-Civilian Employees And For 2,500 contractors).

  • The report examined the most common reasons for revoking clearances by the DoD for fiscal year 2013. The top causes for civilian and military personnel were criminal  conduct, involvement with drugs and personal conduct. Top reasons for contractors were financial considerations and personal and criminal conduct.

  • The report also examined revocations by the Department of Homeland Security (DHS), although only for fiscal year 2013. About 125,000 DHS civilian and military employees were eligible to access classified information as of March 2014. DHS revoked eligibility for 113 personnel during fiscal year 2013 the report said.



Organizations Lack Training And Budget To Mitigate Insider Threats - 2014


  • A Insider Threat Survey conducted by Spectorsoft of 355 IT and security professionals revealed the following;

    • 61% stated they didn’t have the ability to deter an insider threat.

    • 59% stated they couldn’t detect an insider threat.

    • 60% of stated that they weren't prepared to respond to insider attacks.

    • 35% stated that they had already experienced an insider attack, with 41% of those attacks involving financial fraud, 49% of them involving a data leak, 16% involving intellectual property theft.


Other Insider Threat Reports

DoD Top Management Challenges Report For 2018 (Insider Threat Pages 31-38)

GAO Report: Insider Threats In The DoD - 2015

Insider Threat Study By NATO - 2014

DoD Insider Threat Mitigation Report - 2000

PERSEREC: Espionage By Americans From 1947-2007

PERSEREC: Espionage Case Summaries From 1975-2008




Insider Threat Risk Mitigation Requires Senior Management Support

  • Senior Management must address the questions below if they are serious about mitigating the Insider Threat and protecting an organization assets.

  • Has your organization given serious consideration into what employees are really doing with the organization’s most critical information?

  • Does your organization have visibility into its employees actions on your information systems, databases and networks that store intellectual property, proprietary information and sensitive information?

  • Can your company afford to loose its critical market share and let this information get into the hands of your competitors?

  • Could the loss of this information cause your company bad publicity, damage to your company's reputation and stock prices, cause your company to face legal action, or put your company out of business?



Copyright © 2014 - National Insider Threat Special Interest Group ™ - All Rights Reserved - Legal Notice