Businesses are missing cybersecurity threats to their own companies in a big way.
The Ponemon Institute recently published a study showing nearly half of the 1,249 IT professionals surveyed say they have no way of identifying cybersecurity risks in the early stages. The study found that:
- Nearly half of companies find it impossible or very difficult to prevent an insider attack at the earliest stages of the Insider Threat Kill Chain.
- 53% of companies find it impossible or very difficult to prevent an insider attack when data is being aggregated, a key indicator of intent of an attack.
- Only 32% of companies say their organizations are very or highly effective in preventing the leakage of sensitive information.
- 15% of organizations state that no one has ultimate authority and responsibility for controlling and mitigating workforce risks.
In observance of Insider Threat Awareness Month, cybersecurity company DTEX partnered with Ponemon to better understand the growing rate of risks, especially following major breaches like SolarWinds. Recent cybersecurity studies have shown a:
- 450% increase in employees circumventing security controls to intentionally mask online activities.
- 230% increase in behaviors indicating an intent to steal data.
DTEX and Ponemon surveyed IT security professionals in North America, western Europe and Australia and reported the results in The State of Insider Threats 2021: Behavioral Awareness and Visibility Remain Elusive, published this week.
The study showed that IT cybersecurity professionals find it difficult or impossible to detect and prevent impending attacks.Ponemon Institute
Threat Pattern
The study showed that security threats typically follow a recurring pattern. What they refer to as an Insider Threat Kill Chain includes five steps present in most attacks:
- Reconnaissance: When preparing for data theft, a malicious insider typically begins with research. This is where they locate the data that they would like to steal, test security controls, or, in the case of compromised credentials, where the insider will test the limits of the stolen credentials privilege.
- Circumvention: Any attempts to bypass existing security controls provide an important indication that subsequent actions were intentional. Many organizations place too much reliance on the "locks on their doors," however an insider typically has sufficient domain knowledge to know which doors are unlocked or simply has access to the key.
- Aggregation: Whether it’s "low or slow" or a "smash and grab," most data exfiltration involves an aggregation step. Data is commonly aggregated on a local workstation or a server with internet access. Data compression is often leveraged for larger transfers.
- Obfuscation: The act of covering one’s tracks is ultimately the strongest indicator of intent. While there’s countless ways to get data out, there is a finite number of ways concealing malicious activity.
- Exfiltration: Many traditional approaches attempt to detect and prevent exfiltration routes. However, while rigid rules may stop malware detonation, they almost never stop an insider with malicious intention. Ideally, all activity should be analyzed from the point closest to the user, providing visibility into exfiltration routes that most other tools miss.
Regarding that first step, Reconnaissance, 49% of IT security professionals surveyed say that detection and prevention is "impossible or very difficult." Indicators at this stage tend to include suspicious research or innocuous file exfil, unusual network enumeration, anomalous file or device access.
When it comes to the second step, Circumvention, 47% say detection and prevention of threats is "impossible or very difficult." Indicators include tampering with security controls, suspicious off-network activity and unusual privilege escalation.
Detection and prevention in the later stages is equally as difficult, survey respondents reported.
Why is this the case? According to the study, very few organizations having effective monitoring controls and practices in place. Of the survey respondents, 32% say their organizations are very or highly effective in preventing the leakage of sensitive information and only 32% say their monitoring controls are very or highly effective in preventing the leakage of information. More respondents (40%) say their monitoring technologies are very or highly effective in preventing the leakage of sensitive information, although that number is not very high relative to the risk of leaked information, according to the study.
No Clear Authority
IT cybersecurity professionals say detecting and preventing threats is difficult to impossible because there is no clear authority for controlling and mitigating these risks, according to the study. In fact, 15% say no one has ultimate authority. In most companies, though, the responsibility lies with the chief information officer, chief information security officer and head of the lines of business.
A lack of in-house expertise, lack of collaboration, remote working, lack of a budget are the top reasons given for this lack of authority, respondents say.
IT cybersecurity professionals say detecting and preventing threats is difficult to impossible because there is no clear authority for controlling and mitigating these risks.Ponemon Institute
Study Conclusions
There are many ways businesses can help reduce their cybersecurity threat risk, the study says.
Recommendations include improving a business' security posture, filling in security gaps and designating a clear authority for mitigating risk.
