Today, I’m pleased to share some of the key findings from the 2020 Cost of Insider Threats Global Report. This is the third benchmark study, independently sponsored by IBM Security and ObserveIT to help understand the direct and indirect costs that result from insider threats. The first study was conducted in 2016 and focused exclusively on companies in the U.S.

In the 2020 study, we interviewed companies located in North America, Europe, the Middle East and the Asia-Pacific region. In the context of this research, an insider threat is defined as:

  • a careless or negligent employee or contractor,
  • a criminal or malicious insider, or
  • a credential thief.

This year, we interviewed 964 IT and security practitioners to understand the costs associated with insider threats across the three primary insider threat profiles at 204 enterprise organizations. We found, on average, that the global average cost of an insider threat is $11.45 million. The frequency of insider incidents has tripled since 2016 from one to 3.2 per organization, and these 204 organizations experienced a total of 4,716 insider incidents over the past 12 months.

Download the 2020 Cost of Insider Threats Report

Highlights From the Cost of Insider Threats Report

The cost of insider incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $17.92 million over the past year to resolve insider-related incidents.

The three largest industries affected were financial services, services, and technology and software. Financial services organizations include banking, insurance, investment management and brokerage companies. Companies in financial services, services, and technology and software incurred average costs of $14.05 million, $12.31 million and $12.30 million, respectively.

Next, we found that it takes an average of more than two months to contain an insider incident. It took an average of 77 days to contain the incident and only 13 percent of incidents were contained in less than 30 days.

The negligent insider was the root cause of most incidents (63 percent) in this research. As the figure below shows, a careless employee or contractor was the root cause of 2,962 of the 4,716 incidents reported, and 1,105 incidents were caused by criminal and malicious insiders.

A total of 649 incidents involved stolen credentials, and 191 of these incidents involved the theft of privileged user credentials.

Top Ways to Mitigate Insider Breaches

Companies spend an average of $644,852 on each insider incident. The figure below summarizes the average cost of insider-related threats for the three types of incidents and seven activity centers.

According to the reported data, containment and remediation represented the most expensive activity centers for insider threats. The least expensive were ex-post analysis and escalation.

The costliest insider threats involved credential theft, as the figure below shows, which was more than 2.5 times as expensive as incidents involving employee or contractor negligence. Surprisingly, privileged access management (PAM) is the second-most underutilized tool and activity used to reduce insider threats, with only 39 percent of organizations interviewed deploying the tool.

Companies spent an average of more than two months containing an incident. According to the figure below, the average time to contain insider-related incidents in our benchmark sample was 77 days. Only 13 percent of incidents were contained in less than 30 days.

The faster containment occurs, the lower the cost — the total annualized cost appears to be positively correlated with the time to contain insider-related incidents. Insider threats that took more than 90 days to contain had the highest average total cost per year ($13.71 million). In contrast, incidents that took less than 30 days to contain had the lowest total cost ($7.12 million). The average annual cost was $11.45 million.

Review the Complete Findings From the Report

In our release of the 2020 Cost of Insider Threats report, we cover even more details on the annualized cost of insider threats by industry, the percentage of direct versus indirect costs based on activity centers, and the tools and activities that can help reduce the risk of insider threats.

Join us for our upcoming webinar, where we will cover even more of the report and provide a detailed analysis of each area covered in the study. We will also share insights on the best cost savings resulting from the deployment of various cyber risk reduction tools and activities specifically for insider threats.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen. Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…