From the Introduction:
The Risk of Insider Fraud: Second Annual Study reveals that the insider threat has become more of a challenge for IT professionals. The first study was published in October 2011.
The number of employee-related incidents of fraud continues to remain high.
However, only 44 percent say their organization views the prevention of insider fraud as a top security priority and this perception has declined since 2011.
Contributing to the insider risk is BYOD, employee access of enterprise systems from remote locations and lack of security protocols over edge devices.
According to Ponemon Institute research, insider negligence and maliciousness can be one of the major causes of a costly and reputation damaging data breach.
As reported in the 2011 Cost of Data Breach: United States study, data breaches that result from malicious attacks are most costly.
Hackers or criminal insiders (employees, contractors and other third parties) typically cause the data breach as determined by the post data breach investigation.
While the average cost of a data breach in the 2011 study was $194 per lost or stolen record, companies that experience malicious or criminal attacks have a per capita cost above the mean ($222).
In our study, we defined insider fraud as the malicious or criminal attacks perpetrated upon business or governmental organizations by employees, temporary employees and contractors.
Typically, the objective of such attacks is the theft of financial or information assets – which include customer data, trade secrets and intellectual properties.
Sometimes the most dangerous insiders are those who possess strong IT skills or have access to your organization’s critical applications and data.
Other risks with potentially severe consequences are the intentional misuse of data or policy violation.
Some of the most salient findings from this study are the following:
- On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months.
- More than one-third say that employees’ use of personally owned, mobile devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems and another 26 percent it is very likely to occur.
- Sixty-one percent rate the threat of insider risk within their organization as very high or high.
- Twenty-three percent say insider fraud incidents existed six months or longer before being discovered and nine percent could not determine when they occurred.
- Fifty-five percent of organizations say their organization does not have the ability/intelligence to determine if the off-site employee’s non-compliance is due to negligence or fraud.
Using survey methods, we implemented an objective study about how highly experienced individuals in IT, security, compliance and other business fields deal with the risk of fraud perpetrated by malicious insiders.
Our study attempts to ascertain what these individuals perceive to be the most serious vulnerabilities in their organizations, and how they can improve IT, governance and control practices that reduce fraud and ensure compliance with regulations. . . . (Read Report)