Red Goat Cyber Security are proud to announce the results of their insider threat research, examining the chronic lack of reporting observed in intentional insider threat cases and the factors that may influence the decision to report suspicious activity.
The report highlights a chronic under reporting in companies and some fundamental mistakes being made at a policy level that are negatively impacting the decision to report suspicious activity.
Insider Threat Report: Results
- The results show a chronic under-reporting of suspicious behaviour and actions for the majority of situations tested.
- Senior staff members are immune from being reported, regardless of the severity of their actions.
- Contractors and new staff members are most likely to be reported for suspicious behaviour and in more severe cases participants were actually happier to report their close friends than their other colleagues.
- Participants favoured reporting to HR over security teams and lack of training was found to be a major barrier to reporting.
Qualitative data suggests easy ways to improve insider threat program
The qualitative data in the Insider Threat Report furnishes us with a deeper understanding of the extent of this problem and some colourful case studies bring it to life. The findings suggest some easy ways of improving your insider threat programme:
- Provide staff with adequate training on detection of concerning behaviours, why they are concerning and how to report;
- Ensure senior staff members sponsor the programme and encourage reporting of authority figures;
- Place the HR front and centre as they were the favourite department to report to;
- Ensure that staff have confidence in the confidentiality of their report;
- Have clear guidance available of what needs to be reported so there is less ambiguity; and
- Counter the narrative that if you report someone you will face reprisals and exercise no-fault reporting;
- Ensure you have robust technical protections in place including such as encryption and DLP.
This research report will provide you with evidence, analysis and recommendations for developing your insider threat programme.
A complex threat
Due to their levels of access and the trust established intentional insider attacks are often far more damaging to the reputation of a company than an attack from an outside entity. Researchers have found that shareholders have a more sympathetic reaction to security breaches caused by external actors and a more critical reaction to those caused by insiders.
Building an insider threat programme requires a multi-disciplinary approach to creation and management. Intentional insiders are a business threat and so require input from stakeholders across the business.
Even in the most high-profile cases such as Snowden and Manning staff reported suspicious activity that they noticed. The trouble was they only did this after the breaches had happened. Post-breach there is a tendency for organizations to try and claim that the insider was simply a “bad apple”. This is gross misunderstanding of intentional insiders. Getting to the root cause of an insider attack is a challenging but vitally important process. Environment, culture, processes and economic climate all play a role in the creation of an insider threat. We need to plan and prepare for such an eventuality
Enisa recommends “drawing up a security policy on insider threats, based on user awareness, which is one of the most effective controls for this type of cyberthreat.”
Insider Threat Report
The research was conducted from a sample of 1145 individuals from a range of job roles.
The participants were predominately from financial services, legal, accountancy, maritime, aviation, health and Energy/extractive industries. However, a broad cross section of industries was represented. Only a small number of I.T or cyber security professionals were sampled.
Qualitative data was also obtained, enriching the data and further explaining concerns staff members had about reporting the suspicious activity of others.Download the full report