New research released yesterday by the Ponemon Institute reveals a dramatic increase in both the frequency of insider threats and their financial cost to businesses since 2018.
The report, "2020 Cost of Insider Threats: Global," shows that the average global cost of insider threats rose by 31% in two years to $11.45m, and the frequency of incidents spiked by 47% in the same time period.
To gather data for the study, researchers talked to 964 IT and security practitioners at 204 organizations in North America, Europe, the Middle East, Africa, and Asia-Pacific. All the individuals who contributed worked at a company with a global headcount of 1,000 or more.
Researchers learned that across all organizations in the past 12 months a total of 4,716 incidents had occurred that had been caused by an insider threat.
For a more detailed analysis, researchers split the incidents into three different categories of threat: those caused unintentionally by negligent employees or contractors, those perpetrated by credential thieves bent on using insiders' login information to gain unauthorized access to applications and systems, and those instigated by criminal and malicious insiders out to damage an organization from within.
Of the three profiles, credential thieves caused the most damage per incident, costing organizations an average of $871,000 per incident—three times more per incident than a negligent insider. However, the frequency of credential theft was 25% of all incidents, which limited the average annual cost to $2.79m per year.
Negligent employees or contractors, who were found to have caused 62% of insider threats, created the highest financial burden of the profiles, costing an average of $4.58m per year.
Malicious criminal insider threats were found to have occurred with the least frequency, making up just 14% of incidents. The financial ramifications of this rarer threat type were still significant, with researchers recording a per-incident cost of $756K and annual losses of $4.08m.
Proving the old adage "a stitch in time saves nine," researchers found that the longer an insider threat lingers the costlier it is to rectify. Incidents that took more than 90 days to contain cost organizations $13.71m on an annualized basis, while incidents that lasted less than 30 days cost roughly half, at $7.12m.
The study was sponsored by ObserveIT, a Proofpoint company, and IBM.