Recently revised guidelines by the Office of the Australian Information Commissioner (OAIC) on the reasonable steps it expects organisations to take to combat insider threats underline concerns about the growing incidence of this attack type.

According to Gartner's research director for security, privacy and risk, Rob McMillan, the OAIC advice - when taken in the right spirit - would be found to be "very constructive" by businesses.

"The fact you've now got some advice from the OAIC saying, 'If we have to investigate you - if there's a data breach and we're called in to make a judgment, here are the sorts of things we would look at to see if you took reasonable steps' - at least you don't have to make decisions or assessments about what's reasonable in a complete vacuum," he said.

The OAIC's revisions are the latest in a series of postures adopted by the Government and its agencies on the insider threat phenomenon.

In September 2014, the Commonwealth's protective security policy framework (PSPF) was updated to reflect the access controls and vetting needed to minimise the threat posed by insiders potentially leaking classified material, as occurred with Edward Snowden and Chelsea Manning.

The Government also last year published a "personnel security handbook" for business on managing insider threats, and secured the passage of national security laws that increased penalties for intelligence insiders that leaked information about "secret operations".

By the numbers

Under 10 percent of Australian organisations feel 'safe' from insider attacks, according to a recent report by analyst firm Ovum for data security vendor Vormetric, although by contrast, only one in five said they felt "vulnerable" to an inside attack.

Most of the organisations surveyed by Ovum indicated that insider attacks hadn't become any easier to detect with the passing of time; almost half of respondents said the difficulty in detecting these attacks was increasing.

As for who to watch, the answer was 'everyone': everyday users, third-party contractors, business partners and even IT administrators.

Verizon's annual data breach investigations report provides a global view of the challenge of dealing with "insider misuse". Its most recent report notes "privilege misuse" is by far the top threat available to an insider. Most incidents - over 70 percent - occurred while employees were in the office, "right under the noses of co-workers" and the motivations were mostly "financial" - although espionage or a grudge were also among the top reasons for an insider attack.

"We've seen the insider threat moving up steadily since 2009," Verizon's chief security architect for Asia Pacific, Jason Whyte told Information Age.

Despite the findings on intent, Gartner's McMillan is quick to point out that not all insider attacks involve malicious intent.

"When we're talking about insider threats, we're assuming this is a motivated person who's deliberately doing some activity," McMillan said.

"But that's a different scenario from the innocent person who is just trying to do their job who might have some accident or misadventure that might lead to a breach.

"This is where two breaches that might look the same can be completely different depending on the state of mind of the person involved."

Even with the attention paid to insider threats, only 19 percent of respondents to accounting firm EY's global information security survey (GISS) said they planned to spend more to combat it. Most were content to put their money towards combating other threats, such as those posed by increased cloud compute usage.

Whyte saw legislative compliance as a key driver for investment to combat insider threats. He noted that investment in technology shouldn't come first.

"What we see is organisations spending a lot of money on technology to try and mitigate the threat, whereas what they should be doing is spending money on putting really good policies, procedures and controls in place, and building strong governance frameworks around how they provide access [to corporate systems]," he said.

Culture shock

Fines and reputation damage aside, other lasting impacts of an insider breach can be to an organisation's culture and the collateral damage to co-workers, according to Gartner's McMillan.

"One of your own has undermined what everyone else was trying to achieve," he said. "That immediately demoralises the people around them and it can also throw suspicion on the people around them.

"It's not just about the insider attacking 'the organisation', they're actually damaging the people around them as well, their own colleagues.

"From a cultural perspective that's quite damaging."