Insider Cybersecurity Threat Costs Climb

A new study from Ponemon Institute, “2020 Cost of Insider Threats: Global,” presented a dramatic upsurge in both the average cost and frequency of insider threats since 2018.

According to the study, commissioned by Proofpoint (via ObserveIT) and IBM, over the last two years, the average worldwide cost from insider threats climbed by 31% from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by 47% in just two years, from 3,200 in 2018 (Ponemon) to 4,700 in 2020. “This data shows that insider threats are still a lingering and often under-addressed cybersecurity threat within organizations, compared with external threats,” the study said.

Researchers at Ponemon Institute spoke with 964 IT and security practitioners at 204 organizations with a global headcount of 1,000 or more in North America, Europe, the Middle East, Africa and Asia-Pacific. The study identified 4,716 insider-caused incidents across all organizations in the past 12 months.

Ponemon Institute studied three types of insider threat profiles:

• Negligent insiders, or employees or contractors who make mistakes that unintentionally cause incidents.
• Criminal and malicious insiders, or those who intentionally cause damage to an organization from the inside.
• Credential thieves, or those who target insiders’ login information to gain unauthorized access to applications and systems.

Of the three profiles, credential thieves caused the most damage per incident, costing organizations an average of $871,000 per incident — three times more per incident than a negligent insider. However, the frequency of credential theft was 25% of all incidents, which limited the average annual cost to $2.79 million per year.

“Many people mistakenly think all insider threats are malicious,” the report revealed. “It turns out insider incidents are even more likely to be caused by negligent employees or contractors.” The report confirmed organizations spend more annually to deal with negligent insiders than any other threat profile, but their cost per incident is far lower. “To contrast, credential thieves cost organizations nearly three times more per incident than accidental insider threats, even though their annual their frequency is lower.”

Negligent insiders account for 62% of all incidents, costing organizations the most in total per year – an average of $4.58 million. Even though criminal insiders dominate the headlines, their frequency was the lowest of all three profiles, at 14% of incidents. However, their per-incident cost of $756,000 is difficult for organizations to ignore, accounting for a total of $4.08 million in average losses per year.

The financial services industry, which include banking, insurance, investment management and brokerage, accumulated the highest average insider threat annual costs at $14.5 million, a 20.3% increase over the past two years. Headcount drives the cost of insider threats, with large organizations (of more than 75,000) spending an average of $17.92 million, and smaller organizations (under 500) spending an average of $7.68 million on insider threats. By comparison insider threats cost the energy and utilities sector $11.54 million (a 12.8% increase) and retail $10.24 million (a 38.2% rise).

The highest overall cost center for organizations is containment, at an average of $211,533 per company annually. Containment activities focus on stopping or lessening the impact of incidents or attacks. The fastest-growing cost center is investigations, costing organizations 86% more than they did only three years ago. Investigations help organizations uncover the source, scope and magnitude of one or more incidents.

As with the 2018 report, this year’s data indicated that the longer an incident lingers, the costlier it gets. The average incident takes 77 days to contain. Incidents that took more than 90 days to contain cost organizations an average of $13.71 million on an annualized basis.

The report suggested organizations build a culture of cybersecurity. More importantly, they should help insiders understand how security policies affect their day-to-day work. If mistakes do happen, treat them as opportunities to course-correct behavior and help employees or contractors learn about better alternatives.

“Whether they are caused accidentally or maliciously, insider threat incidents cannot be mitigated with technology alone. Organizations need an insider threat management program that combines people, processes and technology to identify and prevent incidents within the organization,” the report concluded.