Ponemon Institute is pleased to present the findings of the 2023 Cost of Insider Risks: Global study. Sponsored by DTEX, this is the fifth benchmark study conducted to understand the financial consequences of insider threats caused by careless or negligent employees or contractors, criminal or malicious insiders or credential thieves. As revealed in this research, organizations face increasing costs to respond to insider security incidents. Moreover, the time to contain an incident has not improved — it takes an average of 86 days to contain. In 2022 the time to contain the incident was 85 days. Only 13 percent of incidents were contained in less than 31 days.
This cost study is unique in addressing the core systems and business process-related activities that drive a range of expenditures associated with a company’s response to insider negligence and criminal behaviors. In this research, we define an insider-related incident as one that results in the diminishment of a company’s core data, networks or enterprise systems. It also includes attacks perpetrated by external actors who steal the credentials of legitimate employees/users (i.e., imposter risk).
The first study was conducted in 2016 and focused exclusively on companies in North America. Since then, the research has been expanded to include organizations in Europe, Middle East, Africa and Asia-Pacific with a global headcount of 500 to more than 75,000. In this year’s study, we interviewed 1,075 IT and IT security practitioners in 309 organizations that experienced one or more material events caused by an insider. A total of 7,343 insider incidents are represented in this research.
The most prevalent insider security incident is caused by careless or negligent employees.
According to the findings, 55 percent of incidents experienced by organizations represented in this research were due to employee negligence and the average annual cost to remediate these incidents was $7.2 million. Not as frequent are incidents involving criminal or malicious insiders (25 percent of incidents) and credential theft (20 percent of incidents). However, the average cost per these incidents are more costly at $701,500 and $679,621, respectively.
As shown in this research, the cost of insider risk varies significantly based on the type of incident. The activities that drive costs are monitoring & surveillance, investigation, escalation, incident response, containment, ex-post analysis and remediation.
The following are the most salient findings from this research.
The negligent insider is the root cause of most incidents. The average number of negligent insider incidents is 14 in this year’s study. There are a variety of reasons employees can put their organizations at risk. These include not ensuring their devices are secured, not following the company’s security policy, forgetting to patch and upgrade to the latest version.
Malicious insiders accounted for an average of 6.2 incidents and the average cost per incident of $701,500. In the context of this research, malicious insiders are employees or authorized individuals who use their data access for harmful, unethical or illegal activities. Because of their potentially wider access to an organization’s sensitive and confidential data, malicious insiders are harder to detect than incidents caused by external attackers or hackers.
Credential theft incidents average $679,621 per incident. The intent of the credential thief is to steal users’ credentials that will grant them access to critical data and information. These attackers commonly use phishing.
Insider security incidents are increasing. According to the 2023 research, 71 percent of companies are experiencing between 21 and more than 40 incidents per year. This is an increase from 67 percent in 2022 of companies having between 21 and more than 40 incidents.
Privileged access management (PAM) and user training and awareness are shown to reduce the cost of insider risk. The research analyzed the impact security technologies and activities can have on reducing costs. PAM can save an average of $5.9 million. User training and awareness programs can save $5.4 million and SIEM reduces the cost by $4.3 million.
Disruption or downtime and direct and indirect labor represent the most significant costs when dealing with insider threats. Investments in technology, which includes the amortized value and licensing for software and hardware that are deployed in response to insider-related incidents is the third most significant cost.
Companies spend the most on containment of the insider security incident. An average of $179,209 is spent to contain the consequences of an insider threat. The least amount of average cost is for escalation $29,794 and monitoring and surveillance is $33,596. Incidents that took less than 30 days to contain had the lowest average total cost of activities at $11.92 million. In contrast, average activity costs for incidents that take more than 90 days is $18.33 million.
North American companies are spending more than the average cost on activities that deal with insider threats. The total average cost of activities to resolve insider threats over a 12-month period is $16.2 million. Companies in North America experienced the highest total cost at $19.09 million. European companies had the next highest cost at $17.47 million.
Financial services and services have the highest average activity costs. The average activity cost for financial services is $20.68 million and services is $19.63 million.
Organizational size affects the cost. The cost of incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $24.60 million over the past year to resolve insider-related incidents. To deal with the consequences of an insider incident, smaller-sized organizations with a headcount below 500 spent an average of $8 million.
Interviews with participants in this research revealed the following insights into insider threats.
In addition to determining the cost of insider threats for companies in this research, we interviewed participants about their experiences with the threat and what they are doing to reduce risks.
The insider threat continues to pose the greatest threat to organizations. Fifty-five percent of insider risks were caused by employee negligence. Of these organizations, 75 percent of respondents say the most likely cause of insider threat is a negligent insider who caused harm through carelessness or inattentiveness (15 percent), a mistaken insider who caused harm through a genuine mistake (35 percent), or an outsmarted insider who was exploited by an external attack or adversary (25 percent).
Sales and customer service are the roles or function that poses the greatest insider risks (48 percent and 47 percent, respectively). Functions that pose the least risk are IT and legal third-party contractor, 23 percent and 29 percent, respectively).
Malicious insiders were most likely to email sensitive data to outside parties (67 percent). They are also very likely to access sensitive data not associated with the role or function (66 percent) and scanning for open ports and vulnerabilities (63 percent).
Cloud and IoT devices are most likely to be the channels where insider-driven data loss occurred (59 percent and 56 percent, respectively. Less likely are corporate-owned endpoint (41 percent) and BYOD endpoints (43 percent). IoT and cloud are the channels organizations are of most concern (65 percent and 61 percent, respectively).
Malware and social engineering attacks were most likely to cause a non-insider attack that caused a data breach 56 percent and 53 percent, respectively. In the past 12 months, 58 percent of organizations had a minimum of two non-insider attacks which caused a data breach. Malware is considered the most important attack to prevent (65 percent of organizations).
More organizations believe the use of AI and machine learning is important to reducing insider threats. Sixty-four percent of respondents believe AI and machine learning is essential (33 percent) or very important (31 percent) to preventing, investigating, escalating, containing and remediating insider incidents. This is a significant increase from 54 percent of organizations in 2022. Sixty-one percent say automation is essential (38 percent) or very important (23 percent) to managing insider risks.
Reduction in incidents is the top metric for measuring the success of insider risk efforts and programs (50 percent). This is followed by assessment of insider risks (40 percent) and length of time to resolve the incident (38 percent)
Five signs that your organization is at risk
- Employees are not trained to fully understand and apply laws, mandates, or regulatory requirements related to their work and that affect the organization’s security.
- Employees are unaware of the steps they should take at all times to ensure that the devices they use—both company issued and BYOD—are secured at all times.
- Employees are sending highly confidential data to an unsecured location in the cloud, exposing the organization to risk.
- Employees break your organization’s security policies to simplify tasks.
- Employees expose your organization to risk if they do not keep devices and services patched and upgraded to the latest versions at all times.