Today, I’m pleased to share some of the key findings from the 2020 Cost of Insider Threats Global Report. This is the third benchmark study, independently sponsored by IBM Security and ObserveIT to help understand the direct and indirect costs that result from insider threats. The first study was conducted in 2016 and focused exclusively on companies in the U.S.

In the 2020 study, we interviewed companies located in North America, Europe, the Middle East and the Asia-Pacific region. In the context of this research, an insider threat is defined as:

  • a careless or negligent employee or contractor,
  • a criminal or malicious insider, or
  • a credential thief.

This year, we interviewed 964 IT and security practitioners to understand the costs associated with insider threats across the three primary insider threat profiles at 204 enterprise organizations. We found, on average, that the global average cost of an insider threat is $11.45 million. The frequency of insider incidents has tripled since 2016 from one to 3.2 per organization, and these 204 organizations experienced a total of 4,716 insider incidents over the past 12 months.

Download the 2020 Cost of Insider Threats Report

Highlights From the Cost of Insider Threats Report

The cost of insider incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $17.92 million over the past year to resolve insider-related incidents.

The three largest industries affected were financial services, services, and technology and software. Financial services organizations include banking, insurance, investment management and brokerage companies. Companies in financial services, services, and technology and software incurred average costs of $14.05 million, $12.31 million and $12.30 million, respectively.

Next, we found that it takes an average of more than two months to contain an insider incident. It took an average of 77 days to contain the incident and only 13 percent of incidents were contained in less than 30 days.

The negligent insider was the root cause of most incidents (63 percent) in this research. As the figure below shows, a careless employee or contractor was the root cause of 2,962 of the 4,716 incidents reported, and 1,105 incidents were caused by criminal and malicious insiders.

A total of 649 incidents involved stolen credentials, and 191 of these incidents involved the theft of privileged user credentials.

Top Ways to Mitigate Insider Breaches

Companies spend an average of $644,852 on each insider incident. The figure below summarizes the average cost of insider-related threats for the three types of incidents and seven activity centers.

According to the reported data, containment and remediation represented the most expensive activity centers for insider threats. The least expensive were ex-post analysis and escalation.

The costliest insider threats involved credential theft, as the figure below shows, which was more than 2.5 times as expensive as incidents involving employee or contractor negligence. Surprisingly, privileged access management (PAM) is the second-most underutilized tool and activity used to reduce insider threats, with only 39 percent of organizations interviewed deploying the tool.

Companies spent an average of more than two months containing an incident. According to the figure below, the average time to contain insider-related incidents in our benchmark sample was 77 days. Only 13 percent of incidents were contained in less than 30 days.

The faster containment occurs, the lower the cost — the total annualized cost appears to be positively correlated with the time to contain insider-related incidents. Insider threats that took more than 90 days to contain had the highest average total cost per year ($13.71 million). In contrast, incidents that took less than 30 days to contain had the lowest total cost ($7.12 million). The average annual cost was $11.45 million.

Review the Complete Findings From the Report

In our release of the 2020 Cost of Insider Threats report, we cover even more details on the annualized cost of insider threats by industry, the percentage of direct versus indirect costs based on activity centers, and the tools and activities that can help reduce the risk of insider threats.

Join us for our upcoming webinar, where we will cover even more of the report and provide a detailed analysis of each area covered in the study. We will also share insights on the best cost savings resulting from the deployment of various cyber risk reduction tools and activities specifically for insider threats.

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read