The attacks are coming from inside the business—we’ll explain what’s causing them and what you can do about it.
Insider attacks plague 71% of businesses, according to Capterra’s 2023 Insider Threats Survey*. Our research also finds that 79% say insider attacks, such as fraud, sabotage, and data theft, take longer to detect than outside attacks—a factor that magnifies the impact of insider attacks on your company’s finances, reputation, and competitiveness.
Insider attacks can cost your company hundreds of thousands of dollars, so it’s essential that you be proactive about taking preventive measures to stop them. In this report, we’ll take a deep dive into our survey results, explore their implications, and offer tips to better protect your business against insidious insider attacks.
/ Key survey findings
Companies that allow greater data access tend to experience more insider attacks.
Nearly four in five (79%) business leaders say insider attacks take longer to uncover than attacks from the outside.
Among companies that report insider attacks, more than half (53%) experience data theft.
Insider fraud schemes cost companies $262,138 on average and typically take about five months to be uncovered.
Note: Insider threats result from either the malicious or negligent actions of employees, business partners, vendors, contractors, or others provided with access to your company’s data or systems. For the purposes of this report, we are focusing on insider attacks that are committed purposefully and maliciously rather than negligent insider incidents that are accidental or result from carelessness.
Higher rates of insider attacks are associated with higher rates of employee data access
Insider attacks arise from opportunities afforded by the insider’s specific role and the trust granted by the business to access company resources. This is why it's critically important that companies protect data and systems using the principle of least privilege.
In other words, employees should only have access to data or systems needed to perform their tasks.
Unfortunately, our survey reveals that only 57% of companies limit data appropriately while the other 43% allow access either to more data than necessary (31%) or to all company data (12%).
When we take a closer look at the 57% of companies that only allow appropriate data access and compare them to the 43% that allow excessive data access, a clear distinction emerges. Companies that allow excessive data access report much higher rates of various insider attacks—companies that restrict data appropriately are twice as likely to avoid insider attacks altogether.
Making matters worse, of the companies that experience insider attacks, one in three (34%) report the involvement of a highly-privileged network user or admin. So not only should data be restricted only to what employees need to do their job, highly-privileged users must also be scrutinized and the use of admin rights should be minimized.
Data theft is the most common type of insider attack
We asked 400 business leaders whether and what type of insider attacks have occurred at their company. Nearly two in five businesses (38%) have experienced data theft, by far the most common insider attack reported. These events are doubly concerning because, in many cases, they also constitute a data breach.
The second most common type of insider attack is asset misappropriation, reported by just less than a third (32%) of businesses. This type of attack includes any use of an entrusted position to misuse company assets for personal gain and includes an array of schemes from skimming money from a cash register to using company electricity to mine for bitcoin.
Third on our list at 30% is the disclosure of sensitive business data and trade secrets. This type of critical business information is valuable precisely because it is secret, making it a prime target for those looking to sell the information or damage the company’s competitiveness. A classic example of this type of attack occurred years ago when an engineer at Gillette became upset with his supervisor and, fearing loss of his job, sent highly classified plans for a then game-changing three-blade razor to chief competitor Schick[1].
Rounding out our results are reputation sabotage (27%), insider fraud (23%), and system sabotage (20%). Sabotage tends to be associated with disgruntled employees while fraud is conducted for personal enrichment—more on each next.
Disgruntled employees pose specific risks
Motivation to commit insider attacks is often borne from need or greed—but in many cases it also stems from retribution. Amid a spate of layoffs in the tech industry and following the so-called Great Resignation that saw employees seeking better pay and benefits en masse, the potential for disgruntled employees must be taken more seriously than ever before.
Disgruntled employees are often seeking retribution for perceived wrongs committed by the company. This retribution manifests in actions such as system sabotage, publication of sensitive business data, and social media attacks. Of companies that have experienced insider attacks, four in five (80%) have been victimized by disgruntled employees—27% were victimized by current employees, 40% by former employees, and 13% by both.
Perhaps more alarming, 36% of companies that report insider attacks say a former employee with active credentials was involved. This makes it abundantly clear that businesses must make stronger efforts during the employee offboarding process to collect equipment and deactivate user accounts to reduce attacks.
To learn about strategies to prevent employees from becoming disgruntled in the first place, read our recent reports:
Insider fraud incidents cost companies more than a quarter million dollars on average
While not the most common insider attack reported, internal fraud is perhaps the most insidious and definitely one of the most costly. According to our research, insider fraud incidents cost companies more than a quarter million dollars on average and take a little longer than five months (156 days) to be discovered. And because fraud is concealed by its very nature, it’s safe to assume these numbers are merely starting points.
When we break out small businesses with 500 or fewer employees from large companies with more than 500 employees, the numbers change drastically. Small businesses average about $80k in financial impact per fraud incident while large companies average about $390k. This makes sense considering it’s easier to take a larger slice from a larger pie.
How should I protect my business against insider attacks?
The following are strategies that you can use to mitigate the insider threat to your business, most of which are simple to implement.
Employ the principle of least privilege
Employees should have access to all of the data they need to do their job, but as we’ve shown, allowing excessive data access leads to problems. Regularly audit who has access to what and adjust privileges and access settings accordingly, especially when employees change position.
Use data classification to identify and protect sensitive information
Apply role-based authentication to simplify access control
Implement network segmentation to limit lateral movement
Minimize highly-privileged and admin accounts
Develop an anonymous tip program
The majority of investigations begin with a tip. That’s why the most effective strategy to identify insider attacks is to deploy an anonymous tip line or formal whistleblowing program. These programs are highly effective and cost little money or effort to get started.
Fortunately, 72% of the companies we surveyed have an anonymous reporting program, but that also means that more than one in four companies do not.
Practice separation of duties
To help prevent fraud and numerous other threats, it’s important to make sure no one person is responsible for critical processes or transactions. High-risk duties such as bookkeeping, asset distribution, or even pushing code into production should have safeguards and require approvals to make insider attacks more difficult to commit—and to cover up.
Ensure departing employees are properly offboarded
When parting ways with an employee, be sure to do all of the following:
Conduct exit interviews (an opportunity to assuage a disgruntled employee).
Secure all company equipment (and wipe remotely if necessary).
Deactivate all network credentials including on-premise and cloud-based applications.
Close and archive all relevant accounts.
Use software to ease insider threat mitigation
Explore security tools such as data loss prevention software which can help to keep sensitive information secure and prevent unauthorized data transfers, or consider an endpoint protection platform that can secure devices while helping to restrict network access.
Want to learn more about making your business secure?
Read our report: Passwords Are the W0r$T!—It's Time To Adopt Passwordless Authentication