Ponemon Institute is pleased to present the findings of the 2023 Cost of Insider Risks: Global study. Sponsored by DTEX, this is the fifth benchmark study conducted to understand the financial consequences of insider threats caused by careless or negligent employees or contractors, criminal or malicious insiders or credential thieves.  As revealed in this research, organizations face increasing costs to respond to insider security incidents. Moreover, the time to contain an incident has not improved  — it takes an average of 86 days to contain. In 2022 the time to contain the incident was 85 days. Only 13 percent of incidents were contained in less than 31 days.

This cost study is unique in addressing the core systems and business process-related activities that drive a range of expenditures associated with a company’s response to insider negligence and criminal behaviors. In this research, we define an insider-related incident as one that results in the diminishment of a company’s core data, networks or enterprise systems. It also includes attacks perpetrated by external actors who steal the credentials of legitimate employees/users (i.e., imposter risk).

The first study was conducted in 2016 and focused exclusively on companies in North America. Since then, the research has been expanded to include organizations in Europe, Middle East, Africa and Asia-Pacific with a global headcount of 500 to more than 75,000. In this year’s study, we interviewed 1,075 IT and IT security practitioners in 309 organizations that experienced one or more material events caused by an insider. A total of 7,343 insider incidents are represented in this research.

The most prevalent insider security incident is caused by careless or negligent employees.

According to the findings, 55 percent of incidents experienced by organizations represented in this research were due to employee negligence and the average annual cost to remediate these incidents was $7.2 million. Not as frequent are incidents involving criminal or malicious insiders (25 percent of incidents) and credential theft (20 percent of incidents). However, the average cost per these incidents are more costly at $701,500 and $679,621, respectively.

As shown in this research, the cost of insider risk varies significantly based on the type of incident. The activities that drive costs are monitoring & surveillance, investigation, escalation, incident response, containment, ex-post analysis and remediation.

The following are the most salient findings from this research.

 The negligent insider is the root cause of most incidents. The average number of negligent insider incidents is 14 in this year’s study. There are a variety of reasons employees can put their organizations at risk. These include not ensuring their devices are secured, not following the company’s security policy, forgetting to patch and upgrade to the latest version.

 Malicious insiders accounted for an average of 6.2 incidents and the average cost per incident of $701,500.  In the context of this research, malicious insiders are employees or authorized individuals who use their data access for harmful, unethical or illegal activities. Because of their potentially wider access to an organization’s sensitive and confidential data, malicious insiders are harder to detect than incidents caused by external attackers or hackers.

 Credential theft incidents average $679,621 per incident. The intent of the credential thief is to steal users’ credentials that will grant them access to critical data and information. These attackers commonly use phishing.

 Insider security incidents are increasing.  According to the 2023 research, 71 percent of companies are experiencing between 21 and more than 40 incidents per year. This is an increase from 67 percent in 2022 of companies having between 21 and more than 40 incidents.

Privileged access management (PAM) and user training and awareness are shown to reduce the cost of insider risk. The research analyzed the impact security technologies and activities can have on reducing costs. PAM can save an average of $5.9 million. User training and awareness programs can save $5.4 million and SIEM reduces the cost by $4.3 million.

Disruption or downtime and direct and indirect labor represent the most significant costs when dealing with insider threats. Investments in technology, which includes the amortized value and licensing for software and hardware that are deployed in response to insider-related incidents is the third most significant cost.

Companies spend the most on containment of the insider security incident. An average of $179,209 is spent to contain the consequences of an insider threat. The least amount of average cost is for escalation $29,794 and monitoring and surveillance is $33,596. Incidents that took less than 30 days to contain had the lowest average total cost of activities at $11.92 million. In contrast, average activity costs for incidents that take more than 90 days is $18.33 million.

North American companies are spending more than the average cost on activities that deal with insider threats. The total average cost of activities to resolve insider threats over a 12-month period is $16.2 million. Companies in North America experienced the highest total cost at $19.09 million. European companies had the next highest cost at $17.47 million.

Financial services and services have the highest average activity costs. The average activity cost for financial services is $20.68 million and services is $19.63 million.

Organizational size affects the cost. The cost of incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $24.60 million over the past year to resolve insider-related incidents. To deal with the consequences of an insider incident, smaller-sized organizations with a headcount below 500 spent an average of $8 million.

Interviews with participants in this research revealed the following insights into insider threats.

In addition to determining the cost of insider threats for companies in this research, we interviewed participants about their experiences with the threat and what they are doing to reduce risks.

The insider threat continues to pose the greatest threat to organizations. Fifty-five percent of insider risks were caused by employee negligence. Of these organizations, 75 percent of respondents say the most likely cause of insider threat is a negligent insider who caused harm through carelessness or inattentiveness (15 percent), a mistaken insider who caused harm through a genuine mistake (35 percent), or an outsmarted insider who was exploited by an external attack or adversary (25 percent).

Sales and customer service are the roles or function that poses the greatest insider risks (48 percent and 47 percent, respectively). Functions that pose the least risk are IT and legal third-party contractor, 23 percent and 29 percent, respectively).

Malicious insiders were most likely to email sensitive data to outside parties (67 percent). They are also very likely to access sensitive data not associated with the role or function (66 percent) and scanning for open ports and vulnerabilities (63 percent).

Cloud and IoT devices are most likely to be the channels where insider-driven data loss occurred (59 percent and 56 percent, respectively. Less likely are corporate-owned endpoint (41 percent) and BYOD endpoints (43 percent). IoT and cloud are the channels organizations are of most concern (65 percent and 61 percent, respectively).

Malware and social engineering attacks were most likely to cause a non-insider attack that caused a data breach 56 percent and 53 percent, respectively. In the past 12 months, 58 percent of organizations had a minimum of two non-insider attacks which caused a data breach. Malware is considered the most important attack to prevent (65 percent of organizations).

More organizations believe the use of AI and machine learning is important to reducing insider threats.   Sixty-four percent of respondents believe AI and machine learning is essential (33 percent) or very important (31 percent) to preventing, investigating, escalating, containing and remediating insider incidents. This is a significant increase from 54 percent of organizations in 2022. Sixty-one percent say automation is essential (38 percent) or very important (23 percent) to managing insider risks.

Reduction in incidents is the top metric for measuring the success of insider risk efforts and programs (50 percent). This is followed by assessment of insider risks (40 percent) and length of time to resolve the incident (38 percent)

Five signs that your organization is at risk

• Employees are not trained to fully understand and apply laws, mandates, or regulatory requirements related to their work and that affect the organization’s security.

• Employees are unaware of the steps they should take at all times to ensure that the devices they use—both company issued and BYOD—are secured at all times.

• Employees are sending highly confidential data to an unsecured location in the cloud, exposing the organization to risk.

• Employees break your organization’s security policies to simplify tasks.

• Employees expose your organization to risk if they do not keep devices and services patched and upgraded to the latest versions at all times.

To read the full report, visit the DTexSystems.com website.

We’ve all had the maddening experience of being shuttled off to a mindless chatbot when we need real customer service help. Few things can raise your blood pressure like a nonsensical automated response designed as a stall tactic when you have a real crisis on your hands.

I hope you all realize this is the world we are hurling madly towards with all the mindless promotion of AI we’ve seen lately. Since the advent of automated voice response systems, consumers have been swearing into their phones while corporations have engaged in a cynical race to the bottom. Make cost centers like customer service cheaper, and profits increase. Make consumers capitulate because of artificial, frustrating hurdles, and profits increase. That’s unchecked, broken-market capitalism in action.  Gotcha Capitalism, fueled by bots.  That’s not an opinion, it’s a fact.  Take a flight pretty much anywhere in America now and you’ll see what Big Data, and advanced analytics, and AI, or whatever other fancy tech marketing term you throw at it, has done to us. The race to the bottom is so real that we’ve become numb even to airline crash near-misses.

And so I want to talk today about another crash-landing that’s coming – one that’s predictable, but preventable if we act.

A billion useless people.

Yes, AI is coming for our (good) jobs. And no, despite what some ivory tower economists like to say, it’s not a given that we’ll simply replace those jobs with even better jobs.

A billion useless people was the headline of one of my favorite stories . In it, I discussed a simple dinner-party question: What job do you hope your son or daughter trains for? At least if your sensible parental goal was a comfortable life, that would have been a fairly easy question to answer a generation ago or so, but today? Doctor? Lawyer? Pilot? Professor? Software engineer? Ask a few of them and you might be surprised.

The real cause of tension should be a wide-ranging study conducted by Oxford University I wrote about in a similar piece. The study ranked 700 jobs in terms of their potential for automated replacement or “computerization.” How likely is this kind of worker to be replaced by a robot?  The results were stunning.  Many people like to think fast food workers have the most to lose from robots. In reality, it might be lawyers.  Plenty of today’s high-paying, white-collar jobs are filled with rote tasks that robots are very good at.  Knowledge workers have long convinced themselves they aren’t as replaceable as hamburger chefs. They’re wrong. If you’ve ever been bored at work, there’s a robot coming for your job.

On a micro scale, you should feel personally threatened. On a macro scale, this is a real threat to social order.  A billion useless people are going to get very angry, and the resulting unrest should scare everyone.  We must start thinking now about what to do with people when a large percentage of adults don’t have anything productive to do with their lives.

I wrote all that seven years ago, before ChatGPT was a twinkle in a programmer’s eye. Maybe you think I’m exaggerating, but Goldman Sachs published a report earlier this year estimating that “generative AI could expose the equivalent of 300 million full-time jobs to automation.”

So, this concerning future is coming — fast.  CNBC published a story this week with similar speculation about the future of the job market, and I recommend you read it.  There are some great comparisons in the story from labor market historians. Sure, there will still be some kind of higher-order jobs in a world of AI — someone has to “prompt” ChatGPT, right? — but the scale of job destruction could be immense.  Here’s one comparison offered by  Felix Koenig, assistant professor of economics at Carnegie Mellon University: Just about 100 years ago, audio tracks were introduced into silent movies, putting a generation of local musicians out of work — until then, orchestras would accompany the moving pictures.  Once “talkies” were invented, a single musician could play a soundtrack, that audio could be recorded, and replayed millions of times in theatres around the world — eliminating 99.9% of the jobs for movie musicians.  That one musician is still paid pretty well, but the rest are now out of luck.

And so it will be with AI. On the one hand, there will be a race to get a plumb job as a robot programmer. There could be a few big winners and then a lot of losers. Our economy currently favors that structure, and this is a great risk.

What worries me more is that people will be left to do jobs that are considered too expensive for robot labor.  Garbage collection in messy cities, for example.  Or maybe flipping hamburgers. After all, robots require free health care — they have to be repaired. People don’t. Let’s just call them “sh&t jobs,” which is what Jason Resnikoff, history professor, told CNBC.

This future is not yet written.  Yes, in the past society endured — thrived, really — when physically challenging farm jobs turned into urban paper-pushing jobs.  That kind of retraining doesn’t happen by accident, however.  In between those two events in America, we created a thriving college system and passed the GI Bill so millions could be trained without going into debt.  Today, such a massive initiative seems out of the question.

I believe the coming future offers great possibilities. I think the future will bring revenge of the artists, and revenge of the caring souls.  AI will not create great original art (though it will certainly rip off existing art).  And it will not inspire people recovering from strokes to endure the challenges of physical therapy. Therapists and artists have a bright future. Human inspiration and originality might finally gets its just rewards.  That’s what the Oxford study suggested.

But not everyone can do those things. And we must prepare now for this reality.  AI is as much hype as it is reality — everytime you hear AI, just think “Cloud” or “Internet 3.0” or whatever marketing term you like. But one thing will happen, I promise: corporations will figure out how to drive costs down in the name of artificial intelligence, and the race to the bottom will continue unabated, unless we do something to stop it.  Airlines will keep ripping off consumers until there are rules against it, and until there is real competition.  TV studios will generate boring shows based on search queries unless creativity is protected by labor rules. And so on.

Each time you have an insane interaction with an automated customer service tool, you are seeing a glimpse of the future.  Trust me, this is a future we want to stop before it’s too late.