Insider Security Threat Costs up 40% in 4 Years
The average annual cost of insider security threats has increased by 40% in 4 years to $16.2 million per organization, according to the 2023 Cost of Insider Risks Report from DTEX Systems.
This is the fifth year that DTEX Systems has conducted its insider threat benchmark study to gain insights into the financial consequences that result from insider risks. This year the study was conducted by the Ponemon Institute on 1,075 IT and IT security professionals at organizations with 500-75,000 employees in North America, Africa, the Middle East, and the Asia-Pacific region.
Insider risks are classified as malicious and non-malicious. Malicious incidents are caused by insiders wishing to cause harm and include espionage, IP threats, unauthorized disclosures, fraud, sabotage, and workplace violence. Non-malicious insider incidents include negligent incidents, where harm was caused through carelessness or inattentiveness such as ignoring warnings, non-careless mistakes, and incidents where non-malicious insiders were outsmarted by an adversary, such as phishing and BEC attacks that have not previously been seen in the wild.
Over the past 12 months, the respondents experienced a total of 7,343 insider incidents, up from 6,803 incidents in 2022. 309 organizations experienced one or more insider incidents with companies experiencing an average of 24 incidents a year. The biggest direct costs from these incidents are containment and remediation, which cost an average of $179,209 and $125,221 per incident respectively. The time to contain insider incidents has increased from 85 days in 2022 to 86 days in 2023, and increases in containment time equate to much higher costs. Incidents that took longer than 91 days to contain cost an average of $18.33 million.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
75% of incidents were caused by non-malicious insiders, with 55% of incidents caused by negligent or mistaken insiders, and 20% of incidents involved employees being outsmarted by adversaries. Outsmarting insiders is a go-to tactic by adversaries looking to steal credentials to gain initial access to internal networks and data. These incidents cost an average of $4.2 million per year. 25% of incidents involved malicious insiders, and while these incidents are less common, they are the costliest to resolve at an average of $701,500 per incident.
“The upward trends associated with incident costs, frequency, and time to contain demonstrate that current approaches to insider risk are simply not working,” explained DTEX Systems in the report. “In fact, the numbers clearly show that we are going backward.” One of the main problems is insufficient funding is being directed to insider risk management due to a lack of understanding about insider risks, and how they manifest based on early warning behaviors. DTEX Systems suggests a whole-of-industry approach is required to educate and find common ground on how to define and discuss insider risks with enterprises and government entities.
There is some good news, however. Organizations are starting to appreciate the importance of improving insider risk management and 77% of surveyed organizations said they have started or are planning to start an insider risk management program and many are trying to get executive buy-in to provide the necessary funding. Respondents to the survey said top-down support was the most critical element of an insider risk management program, with a dedicated insider risk management team including members from legal, HR, security, and lines of business rated important by 51% of respondents.
Currently, around 8.2% of IT security budgets are directed toward insider risk management with 88% of organizations spending less than 10% of their IT security budgets on insider threats. 58% of respondents admit this is not sufficient to solve a problem that is costing $16.2 million a year; however, organizations are realizing that greater investment in insider threat management is necessary and 46% of organizations expect their insider risk management budgets to increase next year. DTEX Systems believes change is on the way and organizations are increasingly acknowledging the need to home in on the human element and shift the needle to where it needs to be, from reactive to proactive.
