How secure is your organization from the inside? If you’re not sure, it might be worth finding out. According to recent data, the rate and cost of insider threats are growing fast. And when an insider breach occurs, the number of files compromised is usually up to five times higher than in external attacks.

Not all insider threats are deliberate. Nevertheless, when an insider breach occurs, the damage is magnified compared to other types of incidents. So what are the most common insider threats? How can they be mitigated? Some recent reports give us the answers.

More Breaches of Insider Origin

A new insider threat report from the Ponemon Institute surveyed organizations across North America, Europe, the Middle East, Africa and Asia-Pacific. Researchers interviewed 1,004 IT and IT security practitioners in 278 organizations that experienced one or more events caused by an insider.

The report revealed an alarming trend. For starters, the number of insider-led cyber incidents totaled 6,803 in 2022 for a total average annual cost of $15.4 million. The highest number of reported insider incidents among all the companies was 46. In addition, 67% of companies experienced between 21 and more than 40 incidents per year.

Meanwhile, according to a report by Verizon, the number of records compromised by external threats is approximately 200 million. But in cases involving an insider actor, the number of exposed records swells to over 1 billion.

Not All Insider Threats are Alike

The Ponemon report divides insider threats into three types: negligent, malicious and credential. Insider threats have risen among all three threat categories, but those caused by employee carelessness are the most common. The study discovered that well over half of the incidents reported in the survey were the result of negligence. And the average cost of negligence-based breaches was $6.6 million annually.

Out of a total of 3,807 insider attacks, 56% were due to employee or contractor negligence, with an average cost of $484,931 per event. These incidents may have been caused by a failure to secure devices, ignoring a company’s security protocols or neglecting to update and patch systems.

Malicious insiders were responsible for 26% of all incidents (1,749 events) and each attack had an average cost of $648,062. Malicious insiders are defined as employees or authorized individuals who intentionally use their access for nefarious purposes. And in today’s remote work environment, authorized users increasingly have access to even more information.

Last on the list is credential theft. This incurs the highest cost for remediation, averaging $804,997 per incident. These actors widely use social engineering and phishing tactics. Ponemon reported that there were an average of 1,247 incidents, or 18%, related to stolen credentials.

Insider Breach Containment

According to Ponemon, companies spend an average of 85 days to contain a single insider security incident. Organizations only contained 12% of incidents in less than 30 days. Additionally, the average cost per response was $646,000 per breach. The cost breakdown looks like this:

  • Detection: $35,000
  • Investigation, escalation and response: $280,000
  • Containment, analysis and remediation: $331,000.

Tools that Reduce the Impact of Insider Threats

Some most useful information in the Ponemon report was the ranking of technologies that result in the greatest cost reductions associated with insider incidents. The top tools and the percentage of those surveyed naming these tools were:

  1. Data Loss Prevention (DLP) 64%
  2. Privileged Access Management (PAM) 60%
  3. User and Entity Behavior Analytics (UEBA) 57%
  4. Security Information and Event Management (SIEM) 53%
  5. Endpoint Detection and Response (EDR) 50%
  6. Insider Threat Management (ITM) 41%
  7. Other 3%.

The Top Three Anti-Insider Breach Tools

Here’s a breakdown of the top three tools mentioned in the Ponemon report.

Data Loss Prevention (DLP) prevents sensitive information from being accidentally or intentionally leaked or lost. DLP solutions typically monitor and control the movement of sensitive data across an organization’s network and endpoints. DLP may include a combination of technologies, such as encryption, access controls and content analysis. The goal of DLP is to identify, classify and protect sensitive data, ensuring that it remains confidential and secure.

Privileged Access Management (PAM) involves controlling and monitoring access to confidential information and systems. PAM solutions manage and secure privileged accounts, such as those used by system administrators, database administrators and other users with elevated access rights. This prevents unauthorized access and further ensures that privileged users can only perform actions necessary for their job function. Features such as password management, privileged session management and two-factor authentication are common in PAM.

User and Entity Behavior Analytics (UEBA) uses big data and machine learning algorithms to analyze patterns of behavior in users and entities within an organization. UEBA solutions detect and respond to insider threats and other security incidents by identifying unusual or suspicious behavior. UEBA can also analyze large amounts of data, including logs, network traffic and other security-related information, to establish normal patterns of user behavior. Machine learning algorithms identify any deviations from these normal patterns, then generate alerts for security teams.

The Hidden Insider IoT Danger

If we dig deeper into the Ponemon report, however, one piece of data deserves special mention. A striking 63% of respondents feel that vulnerable IoT devices are at the greatest risk of data loss. IoT might not be the kind of insider that first comes to mind —  but IoT devices far outnumber humans. And millions of devices connect to critical networks every day.

As a result, it makes sense that PAM solutions were named the second most important prevention tool. Identity and Access Management (IAM) is a key part of PAM. For ongoing identity management, IAM assigns a digital identity to each entity, authenticates logins and authorizes resource access. This provides secure access for employees, contractors, partners, remote and mobile users and customers.

IAM even works for IoT devices, robots and code like APIs or microservices. IAM also helps protect against compromised credentials and easily cracked passwords that are common entry points for cyberattacks — including from insiders.

More from News

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read

Swiss Army Knife Malware Slices Through Systems In so Many Ways

4 min read - What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022. Picus' findings also highlighted the growing prevalence of "Swiss Army knife malware". This type of malicious software is capable of executing a range of…

4 min read

Will Threat Actors Face Layoffs in 2023?

2 min read - You can’t look at the news these days without reading about layoffs in the technology sector. Roger Lee, founder of told that more than 120,000 tech employees lost their jobs in 2023 as of Feb 27, compared to 161,411 in all of 2022. However, all layoffs aren’t bad news. Most people don’t think of criminals losing their jobs. But if the criminal activity isn’t making money, then it makes no sense to continue. And that is happening in…

2 min read