January 27, 2020 By Larry Ponemon 4 min read

Today, I’m pleased to share some of the key findings from the 2020 Cost of Insider Threats Global Report. This is the third benchmark study, independently sponsored by IBM Security and ObserveIT to help understand the direct and indirect costs that result from insider threats. The first study was conducted in 2016 and focused exclusively on companies in the U.S.

In the 2020 study, we interviewed companies located in North America, Europe, the Middle East and the Asia-Pacific region. In the context of this research, an insider threat is defined as:

  • a careless or negligent employee or contractor,
  • a criminal or malicious insider, or
  • a credential thief.

This year, we interviewed 964 IT and security practitioners to understand the costs associated with insider threats across the three primary insider threat profiles at 204 enterprise organizations. We found, on average, that the global average cost of an insider threat is $11.45 million. The frequency of insider incidents has tripled since 2016 from one to 3.2 per organization, and these 204 organizations experienced a total of 4,716 insider incidents over the past 12 months.

Download the 2020 Cost of Insider Threats Report

Highlights From the Cost of Insider Threats Report

The cost of insider incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $17.92 million over the past year to resolve insider-related incidents.

The three largest industries affected were financial services, services, and technology and software. Financial services organizations include banking, insurance, investment management and brokerage companies. Companies in financial services, services, and technology and software incurred average costs of $14.05 million, $12.31 million and $12.30 million, respectively.

Next, we found that it takes an average of more than two months to contain an insider incident. It took an average of 77 days to contain the incident and only 13 percent of incidents were contained in less than 30 days.

The negligent insider was the root cause of most incidents (63 percent) in this research. As the figure below shows, a careless employee or contractor was the root cause of 2,962 of the 4,716 incidents reported, and 1,105 incidents were caused by criminal and malicious insiders.

A total of 649 incidents involved stolen credentials, and 191 of these incidents involved the theft of privileged user credentials.

Top Ways to Mitigate Insider Breaches

Companies spend an average of $644,852 on each insider incident. The figure below summarizes the average cost of insider-related threats for the three types of incidents and seven activity centers.

According to the reported data, containment and remediation represented the most expensive activity centers for insider threats. The least expensive were ex-post analysis and escalation.

The costliest insider threats involved credential theft, as the figure below shows, which was more than 2.5 times as expensive as incidents involving employee or contractor negligence. Surprisingly, privileged access management (PAM) is the second-most underutilized tool and activity used to reduce insider threats, with only 39 percent of organizations interviewed deploying the tool.

Companies spent an average of more than two months containing an incident. According to the figure below, the average time to contain insider-related incidents in our benchmark sample was 77 days. Only 13 percent of incidents were contained in less than 30 days.

The faster containment occurs, the lower the cost — the total annualized cost appears to be positively correlated with the time to contain insider-related incidents. Insider threats that took more than 90 days to contain had the highest average total cost per year ($13.71 million). In contrast, incidents that took less than 30 days to contain had the lowest total cost ($7.12 million). The average annual cost was $11.45 million.

Review the Complete Findings From the Report

In our release of the 2020 Cost of Insider Threats report, we cover even more details on the annualized cost of insider threats by industry, the percentage of direct versus indirect costs based on activity centers, and the tools and activities that can help reduce the risk of insider threats.

Join us for our upcoming webinar, where we will cover even more of the report and provide a detailed analysis of each area covered in the study. We will also share insights on the best cost savings resulting from the deployment of various cyber risk reduction tools and activities specifically for insider threats.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today