Insider Threat Management

2019 Verizon Data Breach Investigations Report Shows Spike in Insider Threats: Our Top 3 Takeaways

Every year, the comprehensive Verizon Data Breach Investigations Report (DBIR) provides the industry with a deep dive into the latest trends in cybersecurity incidents. This year’s report found that insider threat incidents have been on the rise for the last four years, increasing 5% since hitting a low point in 2015. This year’s report also shows that 34% of all breaches happened because of insiders.

Today we’ll take a deeper dive into the insider threat data included in the report and explain how to mitigate risk for your organization.

Healthcare’s Insider Threats Outweigh External Actors

Nearly 60% of data breaches at healthcare organizations are caused by insiders, the largest percentage of any industry. Healthcare is the only industry where insider-caused breaches outnumber external attacks, at least according to this report. (Some experts, like Shawn Thompson of the Insider Threat Management Group, believe that these incidents are still undercounted and underreported).

The DBIR points to an onslaught of accidental insider threats in the healthcare industry. With stringent regulatory requirements such as HIPAA and the need to move fast to stay competitive, insider mistakes have become rampant. The use of stolen credentials, privilege abuse and phishing were the top three most common types of confirmed attacks.

Privilege an issue for information technology firms

About 44% of breaches in the information technology sector were caused by insiders, the second-highest percentage among the industries in the report. Many of these breaches were also accidental but caused by privileged users. System administrators were often responsible for misconfigurations and publishing errors that caused the majority of these insider breaches. Many of these misconfigurations involved cloud storage databases, which often contain an organization’s most sensitive data.

Financial services plagued by credential theft and phishing

The financial services sector came in third, with 36% of breaches attributed to insiders. Credential theft and phishing attacks were the most common types of breaches in this industry. Privilege misuse was also common, not surprising given the high-value target of financial data and personally identifiable information (PII).

Public sector attacks hard to detect

Finally, 30% of public sector breaches were attributed to insiders. State-affiliated actors accounted for 79% of all external attackers in this industry, while privilege misuse and errors by insiders accounted for 30% of overall breaches (these figures overlap because external attackers often gain insider access and privileges. Many of these breaches took months or years to discover, and incidents involving privilege misuse took the longest for organizations to find.

Our Takeaway: Attacks and incidents vary by industry, so your insider threat program should be tailored to the industry you are in. Rather than taking a one-size-fits-all approach, evaluate your unique weak points and common attack vectors for your industry and build your strategy accordingly.

System administrators and state-sponsored threats rising

An insider threat can be defined as what happens when someone close to an organization, with authorized access, misuses that access to compromise critical information or systems. With that definition in mind, two threat vectors have increased according to this year’s DBIR: system administrators and state-sponsored threats.

The idea of rogue system administrators with malicious intentions seems much more cinematic. The reality is admins most consistently cause accidental insider threat incidents. Their most common errors include:

  • Misconfiguring servers to allow for unintended access to sensitive data
  • Publishing data to public servers that should have been private or access-controlled.

State-sponsored threat actors have also increased dramatically in the last year. Often, trusted insiders enable state-sponsored threats, infiltrating an organization’s external security defenses and stealing critical, non-public data on behalf of a government. A popular example of a state-sponsored attack was Greg Chung from Rockwell-Boeing, who stole engineering secrets for the Chinese government for nearly 30 years.

Our Takeaway: Insiders who enable state-sponsored attacks are commonly most vulnerable to “turning” when they are in financial or career distress. So it’s a good idea to develop both social (HR management and security awareness training) and technical defenses against insider threats like these.

C-Suite is a Popular Target for Social Engineering Attacks

Unfortunately, the higher up you are in a company, the more likely you are to become a target for phishing and social engineering attacks. The DBIR found that top-level execs are 12 times more likely to be the target of social incidents and nine times more likely to cause social breaches. (These types of social engineering attacks are very much on the rise.) C-level executives are, of course, high-value targets for hackers, and their busy schedules may mean that they’re more likely to click quickly before they’ve had a chance to think about whether a link is malicious or legitimate.

Our Takeaway: When organizations conduct insider threat and security awareness training, execs get left out of the equation. After all, they have plenty on their plates as it is. But these attacks make it clear that insider threat training should apply to everyone in the organizations—including and perhaps even focusing on the C-Suite.

What to Do About Insider Threats in Your Organization

The steep rise in insider threat incidents over the last four years points to the need for a comprehensive insider threat management strategy. An effective strategy combines cybersecurity awareness training (to avoid costly mistakes) with technology to identify and mitigate the risk of insider threats. A dedicated insider threat management platform like Proofpoint ITM can help organizations quickly identify and investigate potential incidents. Security analysts can use Proofpoint ITM to gain complete visibility into both user and data activity, so they can know who did what, when and why.

try out our sandbox environment

Subscribe to the Proofpoint Blog