The potential monetary losses from security incidents caused by insider activity — purposeful or accidental — is sharply on the rise, as businesses continue to misunderstand the threat they pose.
According to a report released today by AI-based risk management technology provider DTEX Systems in partnership with security research firm Ponemon Institute, companies are generally underfunding their insider risk programs, spending roughly $200 per employee on that type of security. The report, which was based on a survey of more than 1,000 IT and IT security decision-makers, found that that 58% of the respondents didn’t think that was enough money.
The consequences of that underspending could be serious, according to the report. The total average cost of an insider risk rose from $15.4 million in 2022 to $16.2 million in 2023, while the average number of days required to contain a security threat that originated with an insider rose from 85 to 86 in the same time period.
Ponemon classified insider threats into three categories. First, threats that arose because of malicious insiders looking to harm the company, like disgruntled employees. Second, threats that arose because an outside attacker “outsmarted” a vulnerable employee, who was taken in by a phishing scam or similar. Finally — in the most costly category — the report described negligent or mistaken insiders, who ignored warnings from security systems or misconfigured a system.
More than half, or 55%, of money spent on insider incident response went toward problems caused by negligence or mistakes, compared to 20% for novel attacks that simply outsmarted business staff or IT workers, and 25% for those caused by actively malicious insiders.
This means that security teams, the report’s authors asserted, could save a lot of money by focusing on detection and prevention, rather than being forced to spend their funding on remediation. In the final estimate, the study found that just 10% of insider-risk management budgets were spent on pre-incident outlays — roughly $64,000 per incident. The remaining $565,363 per incident went toward containment, remediation, investigation, incident response and escalation.
“Funding is being inadvertently misdirected due in part to a widespread misunderstanding of insider risks and how they manifest based on early warning behaviors,” the report said. “A whole-of-industry approach is required to educate and find common ground on how we define and discuss insider risks with enterprise and government entities.”