Documente Academic
Documente Profesional
Documente Cultură
INSIDER
THREAT
REPORT
INTRODUCTION
Today’s most damaging security threats are often not originating from malicious
outsiders or malware but from trusted insiders with access to sensitive data and
systems - both malicious insiders and negligent insiders.
The 2019 Insider Threat Report reveals the latest trends and challenges facing
organizations, how IT and security professionals are dealing with risky insiders,
and how organizations are preparing to better protect their critical data and IT
infrastructure.
This 2019 Insider Threat Report has been produced by Cybersecurity Insiders,
the 400,000 member community for information security professionals, to
explore how organizations are responding to the evolving security threats in
the cloud.
We hope you’ll find this report informative and helpful as you continue your
efforts in protecting your IT environments against insider threats.
Thank you,
Holger Schulze
Holger Schulze CEO and Founder
Cybersecurity Insiders
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 2
THE RISE OF INSIDER ATTACKS
Seventy-three percent of organizations observed that insider attacks have become more frequent over
the last 12 months. Thirty-nine percent experienced up to 5 attacks, and 21% experienced more than 6
attacks during the previous 12 months.
Do you think insider attacks have generally become more frequent over the last 12 months?
DONWLOAD
27% 73%
Think insider attacks have
become more frequent
in the past 12 months.
Yes No
How many insider attacks did your organization experience in the last 12 months?
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 3
INSIDER VULNERABILITY
We asked cybersecurity professionals to assess their organization’s vulnerability to insider threats.
An overwhelming 68% of organizations feel moderately to extremely vulnerable. Only 7% say they
are not at all vulnerable to an insider attack. Insider threats present another layer of complexity
for IT professionals to manage, requiring careful planning with regards to access controls, user
permissions, and monitoring user actions.
68%
feel extremely to moderately
68%
vulnerable to insider attacks
15% 25% 7%
4%
Extremely Very Moderately Slightly Not at all
4%
vulnerable 15%
vulnerable vulnerable vulnerable 7% vulnerable
Does your organization have the appropriate controls to prevent an insider attack?
49% 28% 23%
49%
YES 28% NO 23% Not sure
YES NO Not sure
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 4
MOST VULNERABLE APPLICATIONS
Cybersecurity professionals see cloud storage and file sharing apps (such as DropBox, OneDrive, etc.)
as most vulnerable to insider attacks (39%), followed by collaboration and communications apps (such
as email, messaging) (36%).
In your opinion, what types of applications are most vulnerable to insider attacks?
39%
Cloud storage &
36%
Collaboration &
33%
Custom business
file sharing apps communication applications
(DropBox, OneDrive, etc) (email, messaging)
Finance & accounting 29% | Cloud applications 26% | Business intelligence/analytics 25% | Sales & Marketing
(CRM, marketing automation, etc.) 25% | Application development & testing 23% | Content management 22% |
HR 21% | Disaster recovery/storage/archiving 15% | Supply chain management 15% | Project management 13% |
Not sure/other 3%
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 5
INTERNAL VS. EXTERNAL ATTACKS
When comparing internal attacks to external cybersecurity attacks, a majority of 54% confirms
that internal attacks are more difficult to detect and prevent than external cyber attacks. This is
due to the fact that insiders often have advanced access privileges and that it can be extremely
difficult to distinguish legitimate use cases from malicious attacks.
How difficult is it to detect and prevent insider attacks compared to external cyber attacks?
54%
36%
10%
More difficult than About as difficult as Less difficult than
detecting and preventing detecting and preventing detecting and preventing
external cyber attacks external cyber attacks external cyber attacks
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 6
LAUNCH POINTS
FOR INSIDER ATTACKS
The most common launch points for insider attacks are endpoints (59%), mobile devices (46%),
and file servers (39%).
What IT assets are most commonly used to launch insider attacks from?
59%
Endpoints
46% Mobile
39% File
devices servers
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 7
INSIDER ATTACK DAMAGES
Nine of 10 organizations find it moderately to very difficult to determine the actual damage of an
insider attack.
Within your organization, how difficult is it to determine the actual damage of an occurred
insider threat?
62%
13% 25%
Not difficult Very difficult
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 8
COMBATING INSIDER THREATS
The most popular tactic in combating insider threats is user training (50%) because it addresses
both inadvertent insider threats as well as the human factor of recognizing insider attacks by the
unusual and suspicious behavior often exhibited by malicious insiders.
50%
User training
Specialized 3rd party applications and devices 22% | Native security features of underlying OS 21% | Managed
Security Service provider 17% | Custom tools and applications developed in-house 11% | We do not use anything 3%
Not sure/other 11%
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 9
SPEED OF DETECTION & MITIGATION
More than half the respondents claim they can detect insider threats within the same day (56%),
15% even within minutes of an attack. This seems very optimistic considering insider attacks often
span long periods of dwell time due to the difficulty in detecting malicious attacks (compared to
legitimate use).
Organizations are equally confident in their ability to quickly mitigate and recover from insider
attacks. Most organizations say they could recover from an attack within a week (77%). Only one
percent of companies believe they would never fully recover from a successful insider attack.
How long would it typically take your organization to detect an insider attack and mitigate it?
Within minutes Within hours Within one day Within one week
13% 5% 4% 1%
13% 6% 5% 3%
Within one month Within three months Longer than No ability to detect
three months or recover
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 10
DETECTION AND PREVENTION
Because insiders often have elevated access privileges to sensitive data and applications, it
becomes increasingly difficult to detect malicious activity (56%). Combined with the proliferation
of data sharing apps (46%) and more data leaving the traditional network perimeter (45%), the
conditions for successful insider attacks are becoming more difficult to control.
What makes the detection and prevention of insider attacks increasingly difficult compared to a
year ago?
56%
Insiders already
46%
Increased use of
45%
Increased amount
have credentialed applications that of data that leaves
access to the network can leak data protected
and services (e.g., Web email, boundary/perimeter
DropBox, social media)
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 11
MOST EFFECTIVE TOOLS & TACTICS
The most effective security tools and tactics deployed by organizations to protect against insider threats
are policies and training (53%), closely followed by data loss / leakage solutions (52%), encryption of
sensitive data (50%) and identity and access management solutions (50%).
What are the most effective security tools and tactics to protect against insider attacks?
53% Policies
& training
52%
Data Loss
50%
Encryption of data
50%
Identity and access
Prevention (DLP) (at rest, in motion, in use) management (IAM)
Security analytics & intelligence 40% | Intrusion Detection and Prevention (IDS/IPS) 38% | Endpoint and mobile
security 38% | Data Access Monitoring 38% | Network defenses (firewalls) 37% | Sensitive and Private Data
Identification 33% | Database Activity Monitoring 32% | Password vault 21% | Tokenization 21% | Cloud Access
Security Broker (CASB) 21% | Enterprise Digital Rights Management solutions (E-DRM) 21% | Cloud Security as a
Service 15% | Not sure/other 10%
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 12
DETECTING INSIDER ATTACKS
IN THE CLOUD
Another factor that is making detection of insider attacks more difficult is the continuous shift
toward cloud computing and wide distribution and easy access to data, as confirmed by 56% of
cybersecurity professionals.
56%
belive that detecting
insider attacks has become
significantly-somewhat harder
43%
23%
17%
13% 3%
Significantly Somewhat Has not Somewhat Significantly
harder harder changed easier easier
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 13
PERSONAL MOBILE DEVICES
With the proliferation of personal mobile devices in the enterprise, an increasing number of insider
attacks originate from personal mobile devices. Only a minority of 12% of organizations say they
can reliably detect insider threats stemming from personal mobile devices.
Can you detect insider threats stemming from personal mobile devices?
32%
27%
18%
12% 4%
7%
Yes, Only if they're Only if they Sometimes No We block
always used on have agents personal
premises installed device access
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 14
USER BEHAVIOR MONITORING
The increasing volume of insider threats have caused cybersecurity professionals to take more
action and deploy User Behavior Analytics (UBA) tools to help detect, classify and alert anomalous
behavior. More than 80% of organizations monitor user behavior in one way or another, most
commonly access logging (38%) and automated user behavior monitoring (23%).
19%
NO, we don’t monitor
user behavior at all
13% YES, but only under
specific circumstances
(e.g., shadowing specific users)
7%
YES, but only after an incident
(e.g., forensic analysis)
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 15
MONITOR ABNORMAL USER BEHAVIOR
Only 40% of organzations monitor user behavior across their cloud footprint.
Do you monitor abnormal user behavior across your cloud footprint (SaaS, IaaS, PaaS)?
LOG
YES NO
40% 41%
19%
Not sure
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 16
METHODOLOGY & DEMOGRAPHICS
This Insider Threat Report is based on the results of a comprehensive online survey of cybersecurity
professionals, conducted in February of 2019 to gain deep insight into the latest trends, key challenges
and solutions for insider threat management. The respondents range from technical executives to
managers and IT security practitioners, representing a balanced cross-section of organizations of varying
sizes across multiple industries.
C AR EER LE VEL
Specialist Director Consultant Manager/Supervisor Owner / CEO / President CTO, CIO, CISO, CMO, CFO, COO
Vice President Other
D EPARTM ENT
CO M PAN Y S IZE
I N D U STRY
Technology, Software & Internet Information Security Financial Services Telecommunications Education & Research
Computers & Electronics Government Other
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 17
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 17