While businesses overwhelmingly see insiders as a significant threat, most companies do not have the tools and processes to track access to privileged information, according to a report released this week by the Ponemon Institute.
The “Privileged User Abuse and the Insider Threat” report, sponsored by Raytheon, found that more than two-thirds of businesses do not have the capability to monitor the users with access to the most sensitive information. Only 40 percent of companies have the budget to monitor and fight insider threats, despite the fact that 88 percent of respondents consider ample budget important for controlling the problem.
“People are actually getting it these days, people actual think it is a problem,” Michael Crouse, director of insider threat strategies for Raytheon, told eWEEK. “But the tools do not give any indications of the behavior that led to an attack.”
The threat posed by employees and attackers who gain access to employees’ computers has been spotlighted following the leaks of classified National Security Agency documents by former intelligence contractor Edward Snowden. Security experts have warned that the higher levels of access given to certain employees, such as system administrators or managers, pose significant risks to businesses that do not use policies, monitoring and controls to mitigate the risk.
Rogue users are not the only, or even the primary, danger, according to the Ponemon report. Nearly half of respondent thought it likely that privileged users could be targeted by external attackers or even other malicious insiders to gain higher access rights.
Employees who exceed their authority and access sensitive information are a similar threat. Almost three quarters of respondents believe that employees will access sensitive information if not explicitly prevented, and two-thirds thought that curious employees will attempt to access sensitive information, according to the survey. The lack of proper access controls puts business information and customer information at most risk.
Most companies do not have the necessary visibility to determine whether access to a particular data store is a single, accidental occurrence or an ongoing attack by a malicious actor. The main challenge for IT security teams is that current tools do not provide the context necessary to make a determination of whether an event is an insider attack, according to 69 percent of respondents.
Another 56 percent of those surveyed complained that security tools flagged run-of-the-mill access violations as attacks—so-called false positives.
Yet insider threat programs have to encompass more than just technology, says Raytheon’s Crouse. Companies need to create policies, educate employees and have regular compliance checks, he said.
“You cannot just buy your technology and think your problem is solved,” Crouse said. “Technology is very important, but it is not the end-to-end solution for everything.”
Insider attacks mainly encompass privilege abuse. In the 2014 Data Breach Investigations Report, Verizon found that 88 percent of insider misuse cases constituted the abuse of existing privileges.
“Most insider misuse occurs within the boundaries of trust necessary to perform normal duties,” Verizon’s DBIR stated. “That’s what makes it so difficult to prevent.”