Another problem is that dealing with employees, whether negligent or malicious, requires a different set of processes than battling external threats, said Mike Tierney, COO at Vero Beach, FL-based SpectorSoft Corp., which sponsored the SANS study.
"It requires a different team, a different way of handling things because you're dealing with employees inside your company, and they have legal rights," he said.
Both prevention and response can require action by human resources, legal and other company departments, not just IT.
Tierney recommends that information security managers reach out to those departments, not just after a breach occurs, but proactively, to help prevent them.
For example, if an employee applied for a promotion and was rejected, or a salesperson was put on a performance plan but was about to miss their targets and be fired, these could be early indicators of potential problems.
For privacy reasons, human resources may not be able to provide the details of each situation.
"But they could say that there's elevated risk," Tierney said. IT can then respond by improving the awareness of that particular employee.
"I think that can go a long way," he said.
How big a problem are insiders, anyway?
Both of the new surveys, however, go counter to other studies about the causes of security breaches.
For example, according to Verizon, internal actors were responsible for an average of 11 percent of all breaches in 2010, 2011, 2012 and 2013. Partners were responsible for less than 1 percent of breaches.
According to Tierney, that's because a lot of the insider cases are being missed.
"Seventy five percent of insider crimes go unreported or are not prosecuted," he said.
In fact, according to last year's CERT report, not only did 75 percent of companies handle insider threats internally without any legal action, only 10 percent involved law enforcement, with most of the rest handling incidents with internal legal action.
Sign up for Computerworld eNewsletters.