Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

Frequency and Cost of Insider Threats Continue to Increase

By Linn Foster Freedman on February 10, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

The Ponemon Institute recently issued its 2020 Cost of insider Threats Global Report, which finds that the frequency and cost of insider threats is continued to increase. Sponsored by ObserveIT and IBM, the 2020 report is the third consecutive report that studies insider threats and their impact on businesses in terms of frequency, cost and time to recover. “Insider threats are defined as:

  • A careless or negligent employee or contractor
  • A criminal or malicious insider or
  • A credential thief.”

According to the Report, the “key takeaway is that, across all three insider threat types…both the frequency and cost of insider threats have increased dramatically over the course of two years….the overall cost of insider threats is rising , with a 31 percent increase from $8.76 million in 2018…to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47 percent in just two years, from 3,200 in 2018…to 4,700 in 2020.This data shows that insider threats are still a lingering and often under-addressed cybersecurity threat within organizations, compared with external threats.”

Although negligent insiders caused more incidents than any other type (62 percent of all incidents), credential theft cost companies the most. The average cost of an insider threat incident caused by a negligent or careless employee is $307,111, while in contrast, the theft of users’ credentials cost an average of $871,686, and the theft of privileged users’ credentials (25 percent of all incidents) cost an average of $2.79 million. Criminal and malicious insiders (14 percent of all incidents) cost organizations an average of $756,760 per incident.

A significant cost associated with insider threats is attributed to the investigation of the incident, which includes monitoring and surveillance, incident response, containment and remedial actions. The average cost of the investigation following an insider threat increased 38 percent over the past two years to $103,798.

In addition, the Report states that according to the survey results, “it takes an average of 77 days to contain each insider threat incident. Only 13 percent of incidents were contained in less than 30 days.” The fastest growing industries for insider threat included the retail industry and financial services.

The Report outlines several risk factors that companies may wish to consider in determining the risk for an insider threat, which include: 1) employees are not trained on laws or regulatory requirements related to their work that affects the organization’s security; 2) employees are unaware of steps to take so their devices are secured; 3) employees are sending highly confidential data to an unsecured location in the cloud; 4) employees break the company’s security policies to simplify tasks; and 5) employees expose the organization to risk if they are not keeping devices patched and upgraded.

These are valuable tips for companies to consider when determining resources to invest in cybersecurity. Employees and insider threats continue to top the list of risks, and providing employees and contractors with education and tools, and implementing measures to catch malicious or criminal insiders are important components of a risk management program.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Read more about Linn Foster FreedmanEmail
Show more Show less
  • Posted in:
    Intellectual Property
  • Blog:
    Data Privacy + Cybersecurity Insider
  • Organization:
    Robinson & Cole LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Boston ERISA & Insurance Litigation Blog
  • Stridon News and Insights
  • Taft Class Action & Consumer Insights
  • Labor and Employment Law Insights
  • Age of Disruption
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo