Back to blog

The real cost of Insider Threats in Office 365

Nov 11, 2016 by Emma Robinson

The term ‘Insider Threat’ sounds pretty scary, evoking the idea of evil employees, bent on personal revenge or company-wide destruction. While this can be the case, the term also refers to any individual, technology or process that has the potential to pose a threat to your organisation – whether intentional or not.
Whether benign or malicious, insider threats pose one of the largest risks for organisations – especially when it comes to data loss. According to details released by the British Information Commissioner’s Office, ‘human error accounted for 62% of data loss incidents reported to the ICO’. This seems to be even higher for cloud services, due to the flexible, customisable nature of the solution – in Gartner’s 2015 IT predictions, they proposed that by ‘2020, 95% of cloud security failures will be the customer’s fault’, elaborating that the ‘characteristics of the parts of the cloud stack under customer control can make cloud computing a highly efficient way for naive users to leverage poor practices, which can easily result in widespread security or compliance failures.’
Let’s look at some examples of what this Insider Threat can look like in practice.
Examples of data loss caused by user actions  

  • Users download data from a secure, approved cloud service, and then upload the data to high-risk shadow cloud applications, which have not been sanctioned by the organisation. This is the most commonly reported cause for data loss.
  • Individuals sending data to the wrong people, whether this is due to human error (accidentally selecting the wrong recipient for an email), or a conscious attempt to share the information beyond its remit. This action accounts for 17% of data loss incidents according to information from the ICO.
  • An employee downloads corporate files to an unmanaged personal device, like a mobile, tablet or laptop. Data loss occurs because the device does not have sufficient endpoint security, such as strong encryption, remote wipe functionality. If the device is lost or stolen (or even shown to the wrong people), then data is vulnerable.
  • ‘Privileged users’ (individuals with Admin status) may change the security configurations of the cloud service in such a way that inadvertently diminishes the security of the platform. Maybe this is as simple as changing a few settings, or maybe its more strategic. For example, sharing admin credentials amongst other employees in order to reduce their own responsibilties or save time. Perhaps an Admin could grant a user’s request to access a file that they actually shouldn’t be able to view.

3d cloud security concept. Safe box. Isolated white background.
How often do these types of events occur?
According to research by the Ponemon Institute, (The Risk of Insider Fraud, second annual study), ‘on average, organisations have had approximately 55 employee-related incidents of fraud in the past 12 months.’ In addition to this, 23% of organisations in the study claimed that ‘insider fraud incidents existed six months or longer before being discovered and 9% could not determine when they occurred.’ The second statistic is particularly concerning. If your organisation does not have a system in place to detect when potential incidents have taken place, then there is no way of telling whether data loss is occurring in your organisation, what information has been lost or appropriated, and what the risks or damage could be.
While organisations seem to spending more and more on security technology to protect against external threats, it is much more challenging to create a comprehensive strategy for safeguarding against internal threats. Achieving the balance between protecting your environment, and enabling your staff to perform effectively and unhindered is no easy task. The best way to begin creating this balance is often through policy creation for permissions and access levels, but this is a preventative measure – what happens if your threat has already transformed into an incident?
What is the real cost of Insider Threats?
The cost of data loss varies depending on the type of information lost (was it sensitive, confidential, damaging?), the quantity of this information, and the inherent value to the company, stakeholders, and individuals who have managed to get their hands on it. It can also depend on how the information is lost. If a careless user has deleted an important document, the only cost might be the system to detect this issue, and the time and resources involved to recreate it. An accidental external email containing confidential information may be far less damaging than the same act with intent. There is no universal sum that can account for the financial cost of data loss as a whole, however a survey by Securonix found that on average in 2015, ‘insider attacks cost companies about $144,000 per incident’. When you compare this figure to the frequency at which these events take place, the total annual cost of insider threats has the potential to be huge.
Then there’s the cost to your organisation’s reputation. Data leaks from insider sources are just as liable to contain customer data or financial data as they are confidential company information. Perhaps one of your Sales team is moving to a competitor and decides to download a full customer list to take with him. Or maybe an individual is willing to sell customer account details and passwords to the highest bidder. Compensation, loss of business, and damaged brand trust can be extremely costly. No organisation can afford not to spend sufficient time or investment on their security practices, permissions and policies in order to prevent these incidents form occurring.
That’s the potential cost. What can you do about it?
There are three ways you can secure your environment against insider threats.

  • Ensure that you, and your security team create intelligent, dynamic policies which enable users to get the information they need to do their job and nothing more. Security configurations and access settings should be reviewed frequently in order to verify that they are up to date, and there are no discrepancies, like ex-employees with access, or individuals with privileges that they no longer need.
  • Educate your users. As we mentioned before, 62% of data loss incidents are due to human error alone. The best way to avoid mistakes is by informing your users about the dangers of data loss, and the ways in which it can occur. By demonstrating best practices, and perhaps relaying details of some high-profile cases (there are plenty to choose from:  the National Security Agency or Motorola are good examples), you can warn your users against the perils of intentional attacks, and decrease their chances of any careless accidents.
  • Finally, make sure you have a system for threat detection in place, and that you’re able to identify when and where a potential incident has occurred. One way to do this for Office 365 is by using Cogmotive’s newest module, Discover & Audit. Think of it like an insurance policy for your Office 365 environment – it collects and stores a record of every file modified, every login attempt, every password change, every mailbox accessed in Office 365 – including when, where from, and who by. The solution provides you with a full uninterrupted audit log of all Office 365 events, allowing you to isolate events or threats quickly using advanced search capabilities, so if an incident does occur, you have the information you need to investigate, identify what happened, and take action to prevent further incidents from occuring.

Need to rethink your insider threat prevention strategy? You can find out more about Discover & Audit here, or sign up for a free 14-day trial.
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.