Internal employees are responsible for as much as 80 percent of the malicious attacks at organizations -- at least according to the stats I've seen cited around the Internet. Yet that figure seem to be much higher than what I've observed in my professional IT management and consulting experience over the past two decades. Out of at least 100 security incidents -- a conservative number -- I've seen, only a handful were caused by employees.
In light of those statistics, I've wondered whether the problem of insider threats is really that bad or if my experience has been aberrant. Perhaps companies tend to avoid using outside security consultants when the problem is an internal issue. While researching a forthcoming paper on insider threats, I discovered just how significant a threat insiders pose. When you factor in the various ways insiders can harm your organization, both wittingly and unwittingly, that 80 percent figure becomes plausible.
The 2009 CSI Computer Crime survey, probably one of the most respected reports covering insider threats, says insiders are responsible for 43 percent of malicious attacks. Twenty-five percent of respondents said that over 60 percent of their losses were due to nonmalicious actions by insiders. I've read many damage assessment reports stating that although insiders are responsible for fewer incidents than are outsiders, insider incidents usually result in more damage. Thus, the CSI data seems credible.
The 2009 Verizon Data Breach Report [PDF], another source earning growing respect, pegs data breaches due to insider attacks at only 20 percent. This figure comes from only the incidents the Verizon team has consulted on, although the sample size isn't much different from the CSI survey.
Notably, the samples from both reports are relatively small, in the low hundreds. To achieve a statistical confidence level of 99 percent for 10 million records, you'd need a sample size of 1,849. But these two surveys are among the best sources of insider threat information that we have.
Verizon's 20 percent figure is surprising to me, but the survey adds that another 32 percent of attacks can be attributed to trusted partners, which I consider nearly equivalent as insiders. That puts Verizon's figure range at 20 to 52 percent, and either figure is startling if true. The report also indicates that end-users and IT administrators are by far the largest culprits in internal data breaches, split nearly evenly.