May 3, 2023 By Jonathan Reed 4 min read

How secure is your organization from the inside? If you’re not sure, it might be worth finding out. According to recent data, the rate and cost of insider threats are growing fast. And when an insider breach occurs, the number of files compromised is usually up to five times higher than in external attacks.

Not all insider threats are deliberate. Nevertheless, when an insider breach occurs, the damage is magnified compared to other types of incidents. So what are the most common insider threats? How can they be mitigated? Some recent reports give us the answers.

More breaches of insider origin

A new insider threat report from the Ponemon Institute surveyed organizations across North America, Europe, the Middle East, Africa and Asia-Pacific. Researchers interviewed 1,004 IT and IT security practitioners in 278 organizations that experienced one or more events caused by an insider.

The report revealed an alarming trend. For starters, the number of insider-led cyber incidents totaled 6,803 in 2022 for a total average annual cost of $15.4 million. The highest number of reported insider incidents among all the companies was 46. In addition, 67% of companies experienced between 21 and more than 40 incidents per year.

Meanwhile, according to a report by Verizon, the number of records compromised by external threats is approximately 200 million. But in cases involving an insider actor, the number of exposed records swells to over 1 billion.

Not all insider threats are alike

The Ponemon report divides insider threats into three types: negligent, malicious and credential. Insider threats have risen among all three threat categories, but those caused by employee carelessness are the most common. The study discovered that well over half of the incidents reported in the survey were the result of negligence. And the average cost of negligence-based breaches was $6.6 million annually.

Out of a total of 3,807 insider attacks, 56% were due to employee or contractor negligence, with an average cost of $484,931 per event. These incidents may have been caused by a failure to secure devices, ignoring a company’s security protocols or neglecting to update and patch systems.

Malicious insiders were responsible for 26% of all incidents (1,749 events) and each attack had an average cost of $648,062. Malicious insiders are defined as employees or authorized individuals who intentionally use their access for nefarious purposes. And in today’s remote work environment, authorized users increasingly have access to even more information.

Last on the list is credential theft. This incurs the highest cost for remediation, averaging $804,997 per incident. These actors widely use social engineering and phishing tactics. Ponemon reported that there were an average of 1,247 incidents, or 18%, related to stolen credentials.

Insider breach containment

According to Ponemon, companies spend an average of 85 days to contain a single insider security incident. Organizations only contained 12% of incidents in less than 30 days. Additionally, the average cost per response was $646,000 per breach. The cost breakdown looks like this:

  • Detection: $35,000
  • Investigation, escalation and response: $280,000
  • Containment, analysis and remediation: $331,000.

Tools that reduce the impact of insider threats

Some most useful information in the Ponemon report was the ranking of technologies that result in the greatest cost reductions associated with insider incidents. The top tools and the percentage of those surveyed naming these tools were:

  1. Data Loss Prevention (DLP) 64%
  2. Privileged Access Management (PAM) 60%
  3. User and Entity Behavior Analytics (UEBA) 57%
  4. Security Information and Event Management (SIEM) 53%
  5. Endpoint Detection and Response (EDR) 50%
  6. Insider Threat Management (ITM) 41%
  7. Other 3%.

The top three anti-insider breach tools

Here’s a breakdown of the top three tools mentioned in the Ponemon report.

Data loss prevention (DLP) prevents sensitive information from being accidentally or intentionally leaked or lost. DLP solutions typically monitor and control the movement of sensitive data across an organization’s network and endpoints. DLP may include a combination of technologies, such as encryption, access controls and content analysis. The goal of DLP is to identify, classify and protect sensitive data, ensuring that it remains confidential and secure.

Privileged access management (PAM) involves controlling and monitoring access to confidential information and systems. PAM solutions manage and secure privileged accounts, such as those used by system administrators, database administrators and other users with elevated access rights. This prevents unauthorized access and further ensures that privileged users can only perform actions necessary for their job function. Features such as password management, privileged session management and two-factor authentication are common in PAM.

User and entity behavior analytics (UEBA) uses big data and machine learning algorithms to analyze patterns of behavior in users and entities within an organization. UEBA solutions detect and respond to insider threats and other security incidents by identifying unusual or suspicious behavior. UEBA can also analyze large amounts of data, including logs, network traffic and other security-related information, to establish normal patterns of user behavior. Machine learning algorithms identify any deviations from these normal patterns, then generate alerts for security teams.

The hidden insider IoT danger

If we dig deeper into the Ponemon report, however, one piece of data deserves special mention. A striking 63% of respondents feel that vulnerable IoT devices are at the greatest risk of data loss. IoT might not be the kind of insider that first comes to mind —  but IoT devices far outnumber humans. And millions of devices connect to critical networks every day.

As a result, it makes sense that PAM solutions were named the second most important prevention tool. Identity and Access Management (IAM) is a key part of PAM. For ongoing identity management, IAM assigns a digital identity to each entity, authenticates logins and authorizes resource access. This provides secure access for employees, contractors, partners, remote and mobile users and customers.

IAM even works for IoT devices, robots and code like APIs or microservices. IAM also helps protect against compromised credentials and easily cracked passwords that are common entry points for cyberattacks — including from insiders.

More from News

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today