2019

INSIDER
THREAT
REPORT
 INTRODUCTION
Today’s most damaging security threats are often not originating from malicious
outsiders or malware but from trusted insiders with access to sensitive data and
systems - both malicious insiders and negligent insiders.

The 2019 Insider Threat Report reveals the latest trends and challenges facing
organizations, how IT and security professionals are dealing with risky insiders,
and how organizations are preparing to better protect their critical data and IT
infrastructure.

Key findings include:

• 73% of organizations confirm insider attacks are becoming more frequent
• 68% feel extremely to moderately vulnerable to insider attacks
• 39% identified cloud storage and file sharing apps as the most vulnerable to
insider attacks
• 54% see insider attacks as harder to detect compared to external cyber attacks
• 56% believe detecting insider attacks has become significantly to somewhat
harder since migrating to the cloud

This 2019 Insider Threat Report has been produced by Cybersecurity Insiders,
the 400,000 member community for information security professionals, to
explore how organizations are responding to the evolving security threats in
the cloud.

We hope you’ll find this report informative and helpful as you continue your
efforts in protecting your IT environments against insider threats.

Thank you,

Holger Schulze
Holger Schulze CEO and Founder
Cybersecurity Insiders

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 2
 THE RISE OF INSIDER ATTACKS
Seventy-three percent of organizations observed that insider attacks have become more frequent over
the last 12 months. Thirty-nine percent experienced up to 5 attacks, and 21% experienced more than 6
attacks during the previous 12 months.

Do you think insider attacks have generally become more frequent over the last 12 months?

DONWLOAD
27% 73%
Think insider attacks have
become more frequent
in the past 12 months.
Yes No

How many insider attacks did your organization experience in the last 12 months?

41% 39% 14%

3% 4%
None 1-5 6-10 11-20 More
than 20

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 3
 INSIDER VULNERABILITY
We asked cybersecurity professionals to assess their organization’s vulnerability to insider threats.
An overwhelming 68% of organizations feel moderately to extremely vulnerable. Only 7% say they
are not at all vulnerable to an insider attack. Insider threats present another layer of complexity
for IT professionals to manage, requiring careful planning with regards to access controls, user
permissions, and monitoring user actions.

How vulnerable is your organization to insider threats?

68%
feel extremely to moderately

68%
vulnerable to insider attacks

feel extremely to moderately49%

vulnerable to insider attacks
25%
49%

15% 25% 7%
4%
Extremely Very Moderately Slightly Not at all
4%
vulnerable 15%
vulnerable vulnerable vulnerable 7% vulnerable

Extremely Very Moderately Slightly Not at all

vulnerable vulnerable vulnerable vulnerable vulnerable
An alarming 28% of organizations said they do not have adequate controls in place (just as alarming,
another 23% are not sure). The good news is security practitioners realize that advanced detection
and prevention of insider threats is key; 49% of respondents have already implemented security
controls and policies to deal with insider threats.

Does your organization have the appropriate controls to prevent an insider attack?
49% 28% 23%
49%
YES 28% NO 23% Not sure
YES NO Not sure
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 4
 MOST VULNERABLE APPLICATIONS
Cybersecurity professionals see cloud storage and file sharing apps (such as DropBox, OneDrive, etc.)
as most vulnerable to insider attacks (39%), followed by collaboration and communications apps (such
as email, messaging) (36%).

In your opinion, what types of applications are most vulnerable to insider attacks?

39%
Cloud storage &
36%
Collaboration &
33%
Custom business
file sharing apps communication applications
(DropBox, OneDrive, etc) (email, messaging)

33% 32% 30% 30%

Website Productivity IT Operations Social media

(Office 365, word (Facebook,
processing, LinkedIn,
spreadsheets, etc) Twitter, etc)

Finance & accounting 29% | Cloud applications 26% | Business intelligence/analytics 25% | Sales & Marketing
(CRM, marketing automation, etc.) 25% | Application development & testing 23% | Content management 22% |
HR 21% | Disaster recovery/storage/archiving 15% | Supply chain management 15% | Project management 13% |
Not sure/other 3%

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 5
 INTERNAL VS. EXTERNAL ATTACKS
When comparing internal attacks to external cybersecurity attacks, a majority of 54% confirms
that internal attacks are more difficult to detect and prevent than external cyber attacks. This is
due to the fact that insiders often have advanced access privileges and that it can be extremely
difficult to distinguish legitimate use cases from malicious attacks.

How difficult is it to detect and prevent insider attacks compared to external cyber attacks?

54%

36%

10%
More difficult than About as difficult as Less difficult than
detecting and preventing detecting and preventing detecting and preventing
external cyber attacks external cyber attacks external cyber attacks

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 6
 LAUNCH POINTS
FOR INSIDER ATTACKS
The most common launch points for insider attacks are endpoints (59%), mobile devices (46%),
and file servers (39%).

What IT assets are most commonly used to launch insider attacks from?

59%
Endpoints
46% Mobile
39% File
devices servers

38% 35% 30% 26%

Network Business Databases Cloud

applications infrastructure
or applications

Not sure/other 16%

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 7
 INSIDER ATTACK DAMAGES
Nine of 10 organizations find it moderately to very difficult to determine the actual damage of an
insider attack.

Within your organization, how difficult is it to determine the actual damage of an occurred
insider threat?

87% find it moderately to very difficult to determine

the actual damage of a successful insider attack

62%
13% 25%
Not difficult Very difficult

Not difficult Moderately difficult Very difficult

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 8
 COMBATING INSIDER THREATS
The most popular tactic in combating insider threats is user training (50%) because it addresses
both inadvertent insider threats as well as the human factor of recognizing insider attacks by the
unusual and suspicious behavior often exhibited by malicious insiders.

How does your organization combat insider threats today?

50%
User training

42% 36% 33% 31% 31%

Information Background User activity Database Secondary

Security checks monitoring Activity authentication
Governance Monitoring
Program

Specialized 3rd party applications and devices 22% | Native security features of underlying OS 21% | Managed
Security Service provider 17% | Custom tools and applications developed in-house 11% | We do not use anything 3%
Not sure/other 11%

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 9
 SPEED OF DETECTION & MITIGATION
More than half the respondents claim they can detect insider threats within the same day (56%),
15% even within minutes of an attack. This seems very optimistic considering insider attacks often
span long periods of dwell time due to the difficulty in detecting malicious attacks (compared to
legitimate use).

Organizations are equally confident in their ability to quickly mitigate and recover from insider
attacks. Most organizations say they could recover from an attack within a week (77%). Only one
percent of companies believe they would never fully recover from a successful insider attack.

How long would it typically take your organization to detect an insider attack and mitigate it?

11% 19% 20% 27%

15% 22% 19% 17%

Within minutes Within hours Within one day Within one week

13% 5% 4% 1%

13% 6% 5% 3%

Within one month Within three months Longer than No ability to detect
three months or recover

56% detect insider attacks

with in a day 50% can mitigate an insider
attack within a day

Detection time Recovery time

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 10
 DETECTION AND PREVENTION
Because insiders often have elevated access privileges to sensitive data and applications, it
becomes increasingly difficult to detect malicious activity (56%). Combined with the proliferation
of data sharing apps (46%) and more data leaving the traditional network perimeter (45%), the
conditions for successful insider attacks are becoming more difficult to control.

What makes the detection and prevention of insider attacks increasingly difficult compared to a
year ago?

56%
Insiders already
46%
Increased use of
45%
Increased amount
have credentialed applications that of data that leaves
access to the network can leak data protected
and services (e.g., Web email, boundary/perimeter
DropBox, social media)

40% 35% 31% 29%

More end-user Migration of Insiders are Difficulty in

devices capable sensitive data to more detecting rogue
of theft the cloud along sophisticated devices introduced
with adoption of into the network or
cloud apps systems

Absence of an Information Security Governance Program 21% | Not sure/other 10%

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 11
 MOST EFFECTIVE TOOLS & TACTICS
The most effective security tools and tactics deployed by organizations to protect against insider threats
are policies and training (53%), closely followed by data loss / leakage solutions (52%), encryption of
sensitive data (50%) and identity and access management solutions (50%).

What are the most effective security tools and tactics to protect against insider attacks?

53% Policies
& training

52%
Data Loss
50%
Encryption of data
50%
Identity and access
Prevention (DLP) (at rest, in motion, in use) management (IAM)

48% 46% 45% 43% 42%

User behavior Security Multi-factor User File Activity

anomaly information and authentication monitoring Monitoring
detection event
management
(SIEM)

Security analytics & intelligence 40% | Intrusion Detection and Prevention (IDS/IPS) 38% | Endpoint and mobile
security 38% | Data Access Monitoring 38% | Network defenses (firewalls) 37% | Sensitive and Private Data
Identification 33% | Database Activity Monitoring 32% | Password vault 21% | Tokenization 21% | Cloud Access
Security Broker (CASB) 21% | Enterprise Digital Rights Management solutions (E-DRM) 21% | Cloud Security as a
Service 15% | Not sure/other 10%

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 12
 DETECTING INSIDER ATTACKS
IN THE CLOUD
Another factor that is making detection of insider attacks more difficult is the continuous shift
toward cloud computing and wide distribution and easy access to data, as confirmed by 56% of
cybersecurity professionals.

Since migrating to the cloud, detecting insider attacks is …

56%
belive that detecting
insider attacks has become
significantly-somewhat harder

43%
23%
17%

13% 3%
Significantly Somewhat Has not Somewhat Significantly
harder harder changed easier easier

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 13
 PERSONAL MOBILE DEVICES
With the proliferation of personal mobile devices in the enterprise, an increasing number of insider
attacks originate from personal mobile devices. Only a minority of 12% of organizations say they
can reliably detect insider threats stemming from personal mobile devices.

Can you detect insider threats stemming from personal mobile devices?

32%
27%

18%
12% 4%
7%
Yes, Only if they're Only if they Sometimes No We block
always used on have agents personal
premises installed device access

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 14
 USER BEHAVIOR MONITORING
The increasing volume of insider threats have caused cybersecurity professionals to take more
action and deploy User Behavior Analytics (UBA) tools to help detect, classify and alert anomalous
behavior. More than 80% of organizations monitor user behavior in one way or another, most
commonly access logging (38%) and automated user behavior monitoring (23%).

Do you monitor user behavior?

YES, but access

logging only 38% 23%
YES, we use automated
tools to monitor user
behavior 24x7

19%
NO, we don’t monitor
user behavior at all
13% YES, but only under
specific circumstances
(e.g., shadowing specific users)

7%
YES, but only after an incident
(e.g., forensic analysis)

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 15
 MONITOR ABNORMAL USER BEHAVIOR
Only 40% of organzations monitor user behavior across their cloud footprint.

Do you monitor abnormal user behavior across your cloud footprint (SaaS, IaaS, PaaS)?

LOG

YES NO

40% 41%
19%
Not sure

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 16
 METHODOLOGY & DEMOGRAPHICS
This Insider Threat Report is based on the results of a comprehensive online survey of cybersecurity
professionals, conducted in February of 2019 to gain deep insight into the latest trends, key challenges
and solutions for insider threat management. The respondents range from technical executives to
managers and IT security practitioners, representing a balanced cross-section of organizations of varying
sizes across multiple industries.

C AR EER LE VEL

19% 17% 17% 14% 11% 8% 6% 6%

Specialist Director Consultant Manager/Supervisor Owner / CEO / President CTO, CIO, CISO, CMO, CFO, COO
Vice President Other

D EPARTM ENT

36% 22% 7% 6% 6% 4% 4% 17%

IT Security IT Operations Compliance Engineering Sales Operations Product Management Other

CO M PAN Y S IZE

12% 21% 17% 18% 9% 22%

Fewer than 10 10-99 100-999 1,000-4,999 5,000-10,000 Over 10,000

I N D U STRY

23% 15% 13% 8% 8% 6% 6% 6% 25%

Technology, Software & Internet Information Security Financial Services Telecommunications Education & Research
Computers & Electronics Government Other

2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 17
2019 INSIDER THREAT REPORT All Rights Reserved. Copyright 2019 Cybersecurity Insiders. 17