More than half of organizations say budgets for insider risk management are inadequate to contain the soaring cost, frequency of human-initiated security incidents.
The average annual cost of an insider risk has increased to $16.2M – a 40% increase over four years, according to a new report from DTEX Systems. Meanwhile, the average number of days to contain an insider incident has increased to 86 days, according to the 2023 Cost of Insider Risks Global Report, independently conducted by the Ponemon Institute.
In addition to analyzing the costs incurred when an organization experiences an insider security incident, this year’s study includes first-time insights into how organizations are funding insider risk programs. The findings show that almost half (46%) of organizations are planning to increase their investment in insider risk programs in 2024. The study also found that 77% of organizations have started or are planning to start an insider risk program.
“We are encouraged that organizations plan to increase investments in insider risk programs because it’s required by customers and new industry regulations – not just because of previous incidents,” said DTEX Systems CTO Rajan Koo. “This is a significant change that portends long-overdue attention and prioritization.”
The momentum around insider risk management comes amid a backdrop of soaring costs, frequency, and time to contain insider-related security incidents. According to research analyst Gartner, insider risk management refers to “the tools and capabilities to measure, detect and contain undesirable behavior of trusted accounts within the organization.”
Despite the growing cost of insider risks, 88% of organizations spent less than 10% of their total IT security budget on insider risk management. Organizations had an IT security budget of $2,437 per employee, yet only 8.2% (equivalent to $200 per employee) was allocated specifically to insider risk programs and policies. The remaining 91.8% of IT security budget was spent on external threats, despite more than half of organizations attributing social engineering as a leading cause of all outside attacks.
The survey shows that budgets are being wasted on reactive “symptom management” despite growing evidence that the root cause starts within, according to Koo.
“The findings demonstrate that the human, manifested as an insider risk, is the leading cause of all data breaches – including the socially engineered,” he said. “This highlights a widespread misunderstanding of the types of insider risks and the failure to proactively protect customer data and IP.”
The 2023 Cost of Insider Risks Global Report is a comprehensive study to understand the financial consequences of insider risks caused by negligent or mistaken employees, outsmarted employees (including insider incidents related to credential theft), or malicious insiders. It is based on responses from 1,075 security or line of business practitioners in 309 organizations in North America, Europe, Middle East, Africa, and Asia-Pacific regions.
“Our goal in conducting this research is to create awareness of the significant costs incurred when employees are negligent, outsmarted or malicious in the handling of an organization’s sensitive data,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “We believe this study is unique because it analyzes the costs based on the type of insider, the time it takes to contain the incident and the technologies that are most effective in reducing the costs. Such information is beneficial in creating a strategy to deal more effectively with the insider risk while reducing the costs.”
Here are some more key findings from the report:
- The average annual cost of an insider risk has risen 40% over four years to $16.2M – up from $15.4M in 2022.
- The average number of days to contain an insider incident in 2023 has increased to 86 days. The longer it takes to respond, the higher the cost ($18.33 million for incidents that take more than 91 days to contain).
- Organizations are spending less than 10% of their IT security budget on insider risk management.
- Most insider risk budget is spent after an insider incident has occurred. Only 10% of insider risk management budget (averaging $63,383 per incident) was spent on pre-incident activities.
- Insider risk program funding set to increase. Despite the fact that most organizations allocate an average of 8.2% of their IT security budgets to insider risk programs, 58% view current spending as inadequate and 46% expect funding to increase in the next year. Seventy-seven percent of organizations have started or are planning to start an insider risk program.
- Non-malicious insiders cause most insider incidents. Seventy-five percent of respondents said the most likely cause of insider risk is non-malicious: a negligent or mistaken insider (55%) or an outsmarted insider who was exploited by an external attack or adversary (20%).
To learn more, download the 2023 Cost of Insider Risks Global Report.