January 27, 2020 By Larry Ponemon 4 min read

Today, I’m pleased to share some of the key findings from the 2020 Cost of Insider Threats Global Report. This is the third benchmark study, independently sponsored by IBM Security and ObserveIT to help understand the direct and indirect costs that result from insider threats. The first study was conducted in 2016 and focused exclusively on companies in the U.S.

In the 2020 study, we interviewed companies located in North America, Europe, the Middle East and the Asia-Pacific region. In the context of this research, an insider threat is defined as:

  • a careless or negligent employee or contractor,
  • a criminal or malicious insider, or
  • a credential thief.

This year, we interviewed 964 IT and security practitioners to understand the costs associated with insider threats across the three primary insider threat profiles at 204 enterprise organizations. We found, on average, that the global average cost of an insider threat is $11.45 million. The frequency of insider incidents has tripled since 2016 from one to 3.2 per organization, and these 204 organizations experienced a total of 4,716 insider incidents over the past 12 months.

Download the 2020 Cost of Insider Threats Report

Highlights From the Cost of Insider Threats Report

The cost of insider incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $17.92 million over the past year to resolve insider-related incidents.

The three largest industries affected were financial services, services, and technology and software. Financial services organizations include banking, insurance, investment management and brokerage companies. Companies in financial services, services, and technology and software incurred average costs of $14.05 million, $12.31 million and $12.30 million, respectively.

Next, we found that it takes an average of more than two months to contain an insider incident. It took an average of 77 days to contain the incident and only 13 percent of incidents were contained in less than 30 days.

The negligent insider was the root cause of most incidents (63 percent) in this research. As the figure below shows, a careless employee or contractor was the root cause of 2,962 of the 4,716 incidents reported, and 1,105 incidents were caused by criminal and malicious insiders.

A total of 649 incidents involved stolen credentials, and 191 of these incidents involved the theft of privileged user credentials.

Top Ways to Mitigate Insider Breaches

Companies spend an average of $644,852 on each insider incident. The figure below summarizes the average cost of insider-related threats for the three types of incidents and seven activity centers.

According to the reported data, containment and remediation represented the most expensive activity centers for insider threats. The least expensive were ex-post analysis and escalation.

The costliest insider threats involved credential theft, as the figure below shows, which was more than 2.5 times as expensive as incidents involving employee or contractor negligence. Surprisingly, privileged access management (PAM) is the second-most underutilized tool and activity used to reduce insider threats, with only 39 percent of organizations interviewed deploying the tool.

Companies spent an average of more than two months containing an incident. According to the figure below, the average time to contain insider-related incidents in our benchmark sample was 77 days. Only 13 percent of incidents were contained in less than 30 days.

The faster containment occurs, the lower the cost — the total annualized cost appears to be positively correlated with the time to contain insider-related incidents. Insider threats that took more than 90 days to contain had the highest average total cost per year ($13.71 million). In contrast, incidents that took less than 30 days to contain had the lowest total cost ($7.12 million). The average annual cost was $11.45 million.

Review the Complete Findings From the Report

In our release of the 2020 Cost of Insider Threats report, we cover even more details on the annualized cost of insider threats by industry, the percentage of direct versus indirect costs based on activity centers, and the tools and activities that can help reduce the risk of insider threats.

Join us for our upcoming webinar, where we will cover even more of the report and provide a detailed analysis of each area covered in the study. We will also share insights on the best cost savings resulting from the deployment of various cyber risk reduction tools and activities specifically for insider threats.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today