* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Cybersecurity](https://origin-researchcenter.paloaltonetworks.com/blog/category/cybersecurity-2/)
* This Is the Hardest Type ...

# This Is the Hardest Type of Data Breach to Discover. Luckily, It's Preventable

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F09%2Fthis-is-the-hardest-type-of-data-breach-to-discover-luckily-its-preventable%2F)  
[](https://twitter.com/share?text=This+Is+the+Hardest+Type+of+Data+Breach+to+Discover.+Luckily%2C+It%E2%80%99s+Preventable&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F09%2Fthis-is-the-hardest-type-of-data-breach-to-discover-luckily-its-preventable%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F09%2Fthis-is-the-hardest-type-of-data-breach-to-discover-luckily-its-preventable%2F&title=This+Is+the+Hardest+Type+of+Data+Breach+to+Discover.+Luckily%2C+It%E2%80%99s+Preventable&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2016/09/this-is-the-hardest-type-of-data-breach-to-discover-luckily-its-preventable/&ts=markdown)  
\[\](mailto:?subject=This Is the Hardest Type of Data Breach to Discover. Luckily, It’s Preventable)  
Link copied  
By [Navneet Singh](https://www.paloaltonetworks.com/blog/author/navneet-singh/?ts=markdown "Posts by Navneet Singh")  
Sep 12, 2016  
6 minutes  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)  
[Insider Threat](https://www.paloaltonetworks.com/blog/tag/insider-threat/?ts=markdown)  
[misuse](https://www.paloaltonetworks.com/blog/tag/misuse/?ts=markdown)  
[prevention](https://www.paloaltonetworks.com/blog/tag/prevention/?ts=markdown)  
[whitepaper](https://www.paloaltonetworks.com/blog/tag/whitepaper/?ts=markdown)

Not all data breaches are created equal. Some cost more, others less. Some are easy to detect, others difficult. As I was reading the [Verizon 2016 Data Breach Investigations Report (DBIR)](http://www.verizonenterprise.com/verizon-insights-lab/dbir/), I was intrigued by the following statement:

"Insider incidents are the hardest (and take the longest) to detect. Of all the incidents, these insider misuse cases are the most likely to take months or years to discover."

Months or *years* to discover. Let that sink in for a minute.

Who are these insiders? What is their motive? If these incidents take so long to detect, what's the cost to the organization? What can security practitioners do to prevent these kinds of incidents?

I looked at some of the latest research materials and news articles on insider threats as I grappled with these questions. Here's what I learned:

### What is insider and privilege misuse?

An insider is not just the disgruntled Joe who didn't get the raise he was expecting or the shocked Jane who was terminated last week.

An insider is anyone who has access to an organization's valuable data. Under that definition, an insider could be an employee, partner, a third-party vendor, or someone whose access should have been revoked, like a recently terminated employee. The DBIR states that it could also be a combination of these actors:

"The Insider and Privilege Misuse pattern is one of the few that sees collusion between internal and external (or even partner) Actors. \[...\] this year we had cases where instead of organized crime soliciting insiders to provide banking information, they went to the customer. It was actually external \> external collusion to commit fraud."

### Insider and privilege misuse is common

Organizations use a variety of mechanisms to vet trusted insiders before allowing them access to valuable assets. The background check you went through before you were hired, the orientation training you attended, the access denied screen you saw on your browser, and the HR emails about acceptable use policies that you probably never read are all examples of such mechanisms. Even with these tools in use, insider and privilege misuse is common.

The DBIR states that insider and privilege misuse accounted for 10,489 total incidents, 172 with confirmed data disclosure. This equates to one confirmed data breach every other day. Further, if you are in the public, healthcare or finance industry, you are in the top three industries for the occurrence of such a data breach.

Within this category of data breaches, there are several types of incidents, as reported in the DBIR:

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/Misuse-1.png)  
[![misuse-1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/Misuse-1-500x285.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/Misuse-1.png)

### Because this type of data breach takes the longest to detect and resolve, it can also be costly.

As I pointed out earlier, this type of breach takes the longest to detect. Months or *years* , if you recall. In addition, it can take the longest to resolve. [Ponemon Institute's 2015 Cost of Cyber Crime Study: Global](http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report/) measured how long it took to resolve different types of attacks after they were detected.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/misuse2.png)  
[![misuse2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/misuse2-500x274.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/misuse2.png)

The study also measured the cost to the organization for each type of cybercrime.

"Time to resolve or contain cybercrimes increases the cost. \[...\] Of all attack types, malicious insiders had the highest average annualized cybercrime cost weighted by attack frequency, at $144,542."

In paper [Understanding Insider Threats](http://blogs.gartner.com/anton-chuvakin/2016/05/09/our-understanding-insider-threats-paper-publishes/) based on a large study of 186 organizations, Gartner says that the biggest category of bad insider actors is:

"'Second streamers' --- so called because they seek to create a second stream of income or other benefits --- misuse information for monetary or personal rewards."

### Prevention: It starts with you asking these 2 key questions

Wouldn't you like to be the hero who saves your organization from such breaches that are so hard to detect and resolve? I would. But how? It really starts with you posing these two key questions to the security team as well as to the organization's leaders -- such that you might prevent these incidents and not have to detect them at all.

1. What assets am I protecting?
2. From whom am I protecting these assets?

As you answer the first question (i.e., the what), keep the following quote from Gartner's Understanding Insider Threats paper in mind:

"Identify your organization's "crown jewels" --- information and services that are critical to meeting strategic business objectives."

Two points in the quote above are worth emphasizing:

* You may be protecting both information and services. Information could exist in the form of documents that may be physical or virtual, source code, people (yes, often people have key information that is not actually contained in documents), emails, and so on. Services are specific to your industry; for example, online trading, healthcare, research and hospitality services.
* Prioritize the information and services based on the criticality in meeting your strategic business objectives. Put simply, if an asset were to disappear tomorrow, will the core of your business continue to function? If yes, the asset doesn't belong in the list of critical information and services.

As you move to the second question (i.e., the who), remember that an insider isn't necessarily the pointy-haired boss (someone with special privileges), or the competent engineer. From the DBIR:

"When their roles were classified in the incident, almost one third were found to be end users who have access to sensitive data as a requirement to do their jobs. Only a small percentage (14%) are in leadership roles (executive or other management), or in roles with elevated access privilege jobs such as system administrators or developers (14%). The moral of this story is to worry less about job titles and more about the level of access that every employee has (and your ability to monitor them). At the end of the day, keep up a healthy level of suspicion toward all employees."

I suggest you write down your own answers to the above questions --- the what and the who --- and then get the leaders in your organization to review your answers to make sure your understanding is accurate. With these reviews, a real danger is that the list of assets gets unwieldy. Remember the earlier point I made about criticality? Use it to keep the list manageable.

### Call to action for all security practitioners

First, educate yourself and your users on the insider threat landscape. Here are some useful resources:

* [Verizon 2016 Data Breach Investigations Report](http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/)
* [Ponemon Institute's 2015 Cost of Cyber Crime Study: Global](http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report/)
* [Gartner Understanding Insider Threats, May 2016](https://www.gartner.com/doc/3303117/understanding-insider-threats) (must be a Gartner client to access)

In a follow-up blog post, I will cover the 5 steps for preventing insider and privilege misuse.

### Call to action for the Palo Alto Networks security practitioners

[Read this tech tips white paper](https://www.paloaltonetworks.com/resources/whitepapers/best-practices-user-id) to discover a step-by-step approach for enabling User-ID™ technology.

*** ** * ** ***

## Related Blogs

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)

[#### 5 Steps To Prevent Data Breaches Due to Insider and Privilege Misuse](https://origin-researchcenter.paloaltonetworks.com/blog/2016/10/5-steps-to-prevent-data-breaches-due-to-insider-and-privilege-misuse/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)

[#### Gearing Up for the Collegiate Cyber Defense Competition](https://origin-researchcenter.paloaltonetworks.com/blog/2017/03/gearing-collegiate-cyber-defense-competition/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Lightboard](https://www.paloaltonetworks.com/blog/category/lightboard/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Watch: Prevention Against Targeted Phishing Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/2016/06/watch-prevention-against-targeted-phishing-attacks/)

### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)

[#### Modernizing Security on AWS: From Firewall Ops to Security Intent](https://origin-researchcenter.paloaltonetworks.com/blog/network-security/modernizing-security-on-aws-from-firewall-ops-to-security-intent/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Strata Network Security Platform](https://www.paloaltonetworks.com/blog/network-security/category/strata-network-security-platform/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Powering the AI Enterprise with New Software Firewall Capabilities](https://origin-researchcenter.paloaltonetworks.com/blog/network-security/powering-the-ai-enterprise-with-new-software-firewall-capabilities/)

### [AI Application Security](https://www.paloaltonetworks.com/blog/network-security/category/ai-application-security/?ts=markdown), [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Palo Alto Networks Announces Support for NVIDIA Enterprise AI Factory](https://origin-researchcenter.paloaltonetworks.com/blog/2026/01/support-nvidia-enterprise-ai-factory/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language