The Ponemon Institute recently issued its 2020 Cost of Insider Threats Global Report (Report), which finds that the frequency and cost of insider threats continues to increase. Sponsored by ObserveIT and IBM, the 2020 Report is the third consecutive one to study insider threats and their impact on businesses in terms of frequency, cost, and time to recover. “Insider threats” are defined as:
- A careless or negligent employee or contractor
- A criminal or malicious insider or
- A credential thief.
According to the Report, the “key takeaway is that, across all three insider threat types…both the frequency and cost of insider threats have increased dramatically over the course of two years….the overall cost of insider threats is rising , with a 31 percent increase from $8.76 million in 2018…to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47 percent in just two years, from 3,200 in 2018…to 4,700 in 2020.This data shows that insider threats are still a lingering and often under-addressed cybersecurity threat within organizations, compared with external threats.”
Although negligent insiders caused more incidents than any other type (62 percent of all incidents), credential theft actually cost companies the most. The average cost of an insider threat incident caused by a negligent or careless employee is $307,111, while the theft of users’ credentials cost an average of $871,686, and the theft of privileged users’ credentials (25 percent of all incidents) cost an average of $2.79 million. Criminal and malicious insiders (14 percent of all incidents) cost organizations an average of $756,760 per incident.
A significant cost associated with insider threats is attributable to the investigation of the incident, which includes monitoring and surveillance, incident response, containment and remedial actions. The average cost of the investigation following an insider threat increased 38 percent over the past two years, to $103,798.
In addition, the Report states that “it takes an average of 77 days to contain each insider threat incident. Only 13 percent of incidents were contained in less than 30 days.” The fastest growing industries for insider threat included the retail industry and financial services.
The Report outlines several risk factors that companies may wish to consider in determining the risk for an insider threat, which include: 1) employees are not trained on laws or regulatory requirements related to their work that affects the organization’s security; 2) employees are unaware of steps to take so their devices are secured; 3) employees are sending highly confidential data to an unsecured location in the cloud; 4) employees break the company’s security policies to simplify tasks; and 5) employees expose the organization to risk if they are not keeping devices patched and upgraded.
These are valuable tips for companies to consider when allocating resources to invest in cybersecurity. Employees and insider threats continue to top the list of risks, and providing employees and contractors with education and tools, and implementing measures to catch malicious or criminal insiders are important components of a risk management program.