January 27, 2020 By Larry Ponemon 4 min read

Today, I’m pleased to share some of the key findings from the 2020 Cost of Insider Threats Global Report. This is the third benchmark study, independently sponsored by IBM Security and ObserveIT to help understand the direct and indirect costs that result from insider threats. The first study was conducted in 2016 and focused exclusively on companies in the U.S.

In the 2020 study, we interviewed companies located in North America, Europe, the Middle East and the Asia-Pacific region. In the context of this research, an insider threat is defined as:

  • a careless or negligent employee or contractor,
  • a criminal or malicious insider, or
  • a credential thief.

This year, we interviewed 964 IT and security practitioners to understand the costs associated with insider threats across the three primary insider threat profiles at 204 enterprise organizations. We found, on average, that the global average cost of an insider threat is $11.45 million. The frequency of insider incidents has tripled since 2016 from one to 3.2 per organization, and these 204 organizations experienced a total of 4,716 insider incidents over the past 12 months.

Download the 2020 Cost of Insider Threats Report

Highlights From the Cost of Insider Threats Report

The cost of insider incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $17.92 million over the past year to resolve insider-related incidents.

The three largest industries affected were financial services, services, and technology and software. Financial services organizations include banking, insurance, investment management and brokerage companies. Companies in financial services, services, and technology and software incurred average costs of $14.05 million, $12.31 million and $12.30 million, respectively.

Next, we found that it takes an average of more than two months to contain an insider incident. It took an average of 77 days to contain the incident and only 13 percent of incidents were contained in less than 30 days.

The negligent insider was the root cause of most incidents (63 percent) in this research. As the figure below shows, a careless employee or contractor was the root cause of 2,962 of the 4,716 incidents reported, and 1,105 incidents were caused by criminal and malicious insiders.

A total of 649 incidents involved stolen credentials, and 191 of these incidents involved the theft of privileged user credentials.

Top Ways to Mitigate Insider Breaches

Companies spend an average of $644,852 on each insider incident. The figure below summarizes the average cost of insider-related threats for the three types of incidents and seven activity centers.

According to the reported data, containment and remediation represented the most expensive activity centers for insider threats. The least expensive were ex-post analysis and escalation.

The costliest insider threats involved credential theft, as the figure below shows, which was more than 2.5 times as expensive as incidents involving employee or contractor negligence. Surprisingly, privileged access management (PAM) is the second-most underutilized tool and activity used to reduce insider threats, with only 39 percent of organizations interviewed deploying the tool.

Companies spent an average of more than two months containing an incident. According to the figure below, the average time to contain insider-related incidents in our benchmark sample was 77 days. Only 13 percent of incidents were contained in less than 30 days.

The faster containment occurs, the lower the cost — the total annualized cost appears to be positively correlated with the time to contain insider-related incidents. Insider threats that took more than 90 days to contain had the highest average total cost per year ($13.71 million). In contrast, incidents that took less than 30 days to contain had the lowest total cost ($7.12 million). The average annual cost was $11.45 million.

Review the Complete Findings From the Report

In our release of the 2020 Cost of Insider Threats report, we cover even more details on the annualized cost of insider threats by industry, the percentage of direct versus indirect costs based on activity centers, and the tools and activities that can help reduce the risk of insider threats.

Join us for our upcoming webinar, where we will cover even more of the report and provide a detailed analysis of each area covered in the study. We will also share insights on the best cost savings resulting from the deployment of various cyber risk reduction tools and activities specifically for insider threats.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today