Our “Understanding Insider Threats” Paper Publishes

Very few of you knew that we’ve been “secretly” working on a report dedicated to the insider threat – for the last year or so. We had a few false starts [because, frankly, we could not find anybody who actually cared about the problem :-)], but we finally did it!!

Please welcome “Understanding Insider Threats” by Erik Heidt and myself [Gartner GTP access required for the paper link], based on a large study of 186 organizations and their approaches to The Insider Threat. The report summary states: “Risk and information security practitioners struggle to understand and address insider threats. Gartner did an in-depth survey with 186 participants to understand insider threats through current incidents. Here, we summarize the research and identify steps for addressing different kinds of threats.”

My faves and highlights follow below (think of these as “batch 1”, we will blog more on this in the next few weeks):

• First, a key point, our definition of insider threat: “In this research, an insider threat is defined as individuals who were deliberate in their theft, misuse or destruction of data or systems.” [so NOT focused on any outsiders who hacked in OR manipulated the insiders, and NOT focused on well-meaning insiders here – just the juicy parts!]
• “Insider threats are a topic many organizations would prefer to avoid addressing. Attempts to raise insider threat issues are sometimes countered with arguments that insider threat incidents are urban myths or unlikely events. This research, which drew information from 140 actual incidents, contradicts that belief.”
• A large percentage (62%!) of insiders were “second-streamers” – “so called because they seek to create a second stream of income or other benefits — misuse information for monetary or personal rewards. Common situations involve fraud or providing suppliers with information that undermines the organization’s negotiating power.” <- in essence, they are current employees who don’t want to “leave and profit”, but “stay and profit.”
• Specifically, “When we look at only the incidents that involved second streamers, it becomes clear that their primary interest was profiting from the sale of business or trade secrets.” <- we mapped insider types to their goals and targets.
• “We found that 55% of the respondents to this survey have some insider threat controls in place, but only 18% have a formal [counter-insider] program in place.” <- a key point: these are percentages of people WHO AGREED TO HELP WITH AN INSIDER THREAT SURVEY, NOT (stressing it again – N-O-T!) some general population. Selection bias!
• “Many organizations implement controls to reduce or mitigate insider threats through business processes [not some ‘IT security appliances’]” BUT “66% indicated that IT was responsible for managing insider threat programs for their organizations” <- a paradox here?
• “Many organizations went for “two for one” — employee education (both upon hire and ongoing, as well as “on the spot” in case of a violation) and employee monitoring, in line with Gartner PCS recommendations.” <- this is a glimpse of ‘controls that work’ sections of the report.

More blog posts from Erik and me on this report are coming! We have a lot of juicy data on insider threat spend, capability maturity, controls that work, incident types, detection effectiveness, etc – much awesomeness here.

So, go and enjoy the report!

Blog posts related to this research:

• Insider Threat: Does It Matter Now? And How Much?