Verizon recently released its 2017 Data Breach Investigations Report (DBIR), a comprehensive study that draws on the collective experience of 65 organizations for a sample of security incidents and data breaches. Let’s take a look at what the report has to say about insider threats and way to mitigate these threats.

The Big Picture on Insider Threats

At a summary level, the DBIR reports that internal actors were behind 25% of the breaches studied in the report. This classification covers both negligent insiders and those with malicious intent (including privilege misuse). Another 2% were attributed to partners – another type of insider.

Looking at the negligent insider, in particular, the DBIR found that around 1 in 14 users were tricked into following a link within a phishing email or opening an attachment — and a quarter of those went on to be duped more than once. Social actions, notably phishing, were found in 21% of incidents, up from just 8% in the 2016 DBIR.

Insider Threats By Industry

For each major industry, the DBIR provides specifics on the threat actors behind the breaches. Insider threats are particularly prevalent in educational services, healthcare, and public administration.

The following table provides threat actor data by industry, and some recommendations from the DBIR on how to mitigate insider threats in those industries with a higher percentage of insider threat actors.

IndustryThreat ActorsAdvice to Battle Insider Threats
Accommodation and Food ServicesThreat Actors- 96% External, 4% Internal (breaches)N/A
Educational Services71% External, 30% Internal, 3% Partner (breaches)

The breaches involving internal actors were mostly attributable to human error (misdelivery of sensitive data and publishing errors), as opposed to malicious intent.

Train your employees and students on security awareness, and encourage/reward them for reporting suspicious activity such as potential phishing or pretexting attacks

Financial and insuranceThreat Actors – 94% External, 6% Internal, <1% Partner (all incidents)

Accessing systems to fraudulently transfer money or using personal information of customers for identity theft are two financially motivated examples of misuse.

Keep an eye on employees and periodically monitor their activities. Don’t give them permissions they don’t need to do their job, and make sure you disable accounts immediately upon termination or voluntary departure.

HealthcareThreat Actors – 32% External, 68% Internal, 6% Partner (breaches)

Insiders access patient data out of curiosity, or to commit identity fraud.

Routinely check on employee activity to make sure they are not viewing, downloading or printing information that they have no business need for. Use warning banners that make it clear that monitoring is taking place.

InformationThreat Actors – 97% External, 3% Internal (all incidents)N/A
ManufacturingThreat Actors – 93% External , 7% Internal (breaches)Keep highly sensitive data segregated and only allow access to those who require it to perform their job.
Public AdministrationThreat Actors – 62% External, 40% Internal, 4% Multiple parties, 2% Partner (breaches)

Insiders are interested in trade secrets and personal information. The insiders represented here in many instances fall into scenarios such as a police officer who misuses his or her ability to access criminal databases inappropriately.

Know your own data, where it resides, who has access to it, and who, in fact, does access it.

To prevent your data from flying out of your organization, set up controls to monitor data egress.

RetailThreat Actors – 92% External, 7% Internal, <1% Partner (incidents)N/A

Insider Motivations, Techniques, and Timelines

The DBIR found that the insiders behind incidents in the report have many motives:

  • Converting data to cash – 60%
  • Unsanctioned snooping – 17%
  • Espionage motives – 15%

And insiders are plundering databases (57%), rifling through printed documents (16%) and accessing other employees’ email (9%).

The discovery timeline for insider breaches is typically measured in months and years to detect, rather than weeks or less.

Use Monitoring to Combat the Insider Threat

The DBIR notes that some of the breach discovery data in the report stems from forensic investigations of employees’ devices after their departure from the company. While this is an important technique to use, the DBIR also recommends the following:

Implement limiting, logging and monitoring of use, and watch out for large data transfers and use of USB devices. This way, you can catch the breach closer to real time to reduce the potential impact.

For More Information: Verizon 2017 Data Breach Investigations Report (executive summary and link to full report)