While large cyber attacks and data breaches may get the headlines, a recent study prepared by the Ponemon Institute and Hewlett-Packard and a recent criminal conviction of a Los Angeles Times reporter that disclosed corporate passwords on a hacker website serve as additional reminders that “malicious insiders” still pose the largest security threat to an organization.

Ponemon Institute/Hewlett-Packard Study: Malicious Insiders Can Cause the Most Serious Cyber Incidents

The Ponemon Institute and Hewlett-Packard (HP) published the study, “2015 Cost of Cyber Crime Study: Global,” which provides insight into the increasing frequency and costs of cyber attacks against governments and businesses around the world. Specifically, the study examines the “economic impact of cyber attacks and observes cost trends over time” and relies on data taken from 252 organizations in seven countries. Most importantly, the study finds that the most costly cyber crimes are caused by “malicious insiders,” people from within an organization.

For example, the study found cyber attacks committed by malicious insiders cost the responding organizations, on average, $144,542 to resolve. The costs related to malicious insiders exceeded costs related to denial of service attacks, phishing scams and stolen devices. Further, the study found the time required to resolve issues created by malicious insiders greatly exceeded the time to resolve issues related to other attacks. Specifically, time to resolve issues related to malicious insiders (54 days) exceeded web-based attacks (28 days) and denial of service attacks (19 days). While the threat created by malicious insiders has been understood for some time, this study puts these threats into context when measured against other cybersecurity threats.

Matthew Keys’ Conviction Demonstrates Real World Dangers Associated with Malicious Insiders

The findings in the Ponemon/HP Study related to the malicious insiders threat were further supported when earlier this month a former Los Angeles Times reporter was convicted under the Computer Abuse and Fraud Act (CFAA). Matthew Keys was convicted of posting confidential server passwords on a hacker website and urged hackers to “go [expletive] some [expletive] up” on websites maintained by his employer, the Tribune Company. Keys had access to the passwords during his employment. After Keys posted the passwords, a hacker gained access to the Los Angeles Times website and created a fake headline for a story.

While there may be questions as to whether Keys was properly charged and convicted under the CFAA, another important consideration is the fact that he does not fit the mold of a “traditional” hacker. During the criminal trial it became clear that Keys had nothing more than a basic working knowledge of computers and no experience as a “hacktivist.” Costs related to the investigation of the hacks, related vandalism, security issues repairs and lost employee productivity were estimated to be nearly $1 million.

The Greatest Threat Comes from Inside an Organization

The Ponemon/HP Study and Keys’ conviction demonstrate that while large-scale hacks from foreign countries make news, employees continually prove to be the greatest threat to cybersecurity. Monitoring the conduct of employees and former employees continues to be just as important as maintaining cutting-edge technology in order to safeguard data or other valuable information. Further, the difficult question related to the amount of damages Keys actually caused leads into an interesting issue related to cyber insurance.

For example, while Keys’ employer claimed it suffered $1 million in damages, this amount was called into question by Keys because many of the hours logged to fix the damage caused by leaked passwords were attributed to journalists and executives rather than technical staff. This dispute over what costs were justified and attributable to Keys’ conduct illustrates the importance that insurers and insureds have a complete understanding prior to a cyber incident of the costs and damages covered under cyber policies.