What's the Average Cost of an Insider Threat?
A Ponemon Institute study of more than 700 IT and security practitioners around the world found that the risk posed by insider threats is growing year-over-year, costing organizations significant money and resources as the threats continue to be difficult to detect, identify and manage.
The average cost of an insider-related incident over a 12-month period is $8.76 million, and it takes more than two months, on average, to contain an insider incident, the report said.
“This research reveals that ignoring the growing threat posed by insiders can be costly for businesses of all sizes and in all industries,” said Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute. “The increasing cost of insider threats – whether caused by negligent or malicious actors – is extremely detrimental for organizations, potentially costing them millions of dollars annually.”
Key findings from the Ponemon Institute and ObserveIT survey include:
- Types of Insider Threats: All types of insider threats are increasing. Since 2016, the average number of incidents involving employee or contractor negligence has increased by 26 percent, and by 53 percent for criminal and malicious insiders. The average number of credential theft incidents has more than doubled over the past two years, increasing by 170 percent.
- Negligent Insiders: The majority of respondents (64 percent) cited that the negligent insider is the root of most incidents, followed by criminal and malicious insiders (23 percent) and employee and contractor negligence (13 percent).
- Costly Credential Risk: Credential risk (or imposter risk) is the costliest type of insider incident at an average of $648,846 per event. This type of incident is 2.5 times more costly than incidents involving employee or contractor negligence at $283,281 per incident. Criminal and malicious insider incidents cost an average of $607,745 per incident.
- Organizational Risk by Size and Industry: The cost of incidents varies per organizational size and industry. Large organizations with a headcount of more than 75,000 spent an average of $20 million over the past year to resolve insider-related incidents while smaller organizations with a headcount below 500 spent an average of $1.8 million. Companies in financial services, energy and utilities and retail incurred average costs of $12.05 million, $10.23 million and $8.86 million, respectively.
- Risk by Region: Organizations in North America experienced the highest total cost to contain insider-related incidents at $11.01 million. Asia-Pacific and European and Middle Eastern (EMEA) companies annualized costs to contain insider-related incidents were $5.88 and $7.04 million, respectively.
- Time to Contain Threats: Insights from the research reinforce that insider threats continue to be difficult to detect, identify and management as it takes an average of more than two months to contain an insider incident. The results also found that only 16 percent of incidents were contained in fewer than 30 days.