Average insider cyberthreat cost spikes 40% in 4 years

Dive Brief:

  • The average annual cost of insider cybersecurity threats increased to $16.2 million during the past 12 months, a 40% increase over four years, according to research conducted by the Ponemon Institute.

  • The biggest costs associated with insider risks came after the incident had occurred, with containment and remediation representing the most expensive areas at $179,209 and $125,221 per incident, respectively, according to a report, released Wednesday. The average period of time it takes to contain an insider incident increased to 86 days.

  • “The cost of an insider risk is the highest it’s ever been, as organizations spend more time than ever trying to contain insider incidents,” the report said.

Dive Insight:

The outsmarting of insiders is a “go-to tactic” for many external attackers looking to steal credentials and gain access to critical data, according to the research, which was sponsored by DTEX Systems, a San Jose, California-based insider cybersecurity threat company. Ponemon, based in Michigan, is a research organization focused on data privacy and security.

During the past year, 20% of incidents where an insider was outsmarted involved stolen credentials, at an average annualized cost of $4.2 million, down from $4.6 million in 2022, the report said.

Employee negligence or mistakes — such as not ensuring devices are secured, not following the company’s security policy, or forgetting to patch and upgrade — accounted for 55% of cyberattacks covered in the report. These incidents average annual remediation cost reached $7.2 million, up from $6.6 million in 2022.

Malicious insiders — employees or authorized individuals who use their data access for harmful, unethical, or illegal activities — accounted for one-quarter of incidents, costing an average of $701,500 per incident. The average annual cost of an incident by malicious insiders was $4.8 million, up from $4.1 million in 2022.

Total potential losses from cyberattacks and cyber fraud surged 48% last year to $10.2 billion from $6.9 billion in 2021, according to the FBI. The FBI’s Internet Crime Complaint Center received 21,832 complaints involving fraud attempts via business email compromise scams in particular, with adjusted losses totaling over $2.7 billion.

Fraudsters use such scams to compromise legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. Social engineering refers to manipulation techniques designed to exploit human behavior and error to gain access to valuable information or assets.

“As fraudsters have become more sophisticated and preventative measures have been put in place, the BEC scheme has continually evolved in kind,” the report said. “The scheme has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts.”

Despite the growing cost of insider risks, 88% of organizations spent less than 10% of their total IT security budget on insider risk management, according to the Ponemon study.

“This highlights a widespread misunderstanding of the types of insider risks and the failure to proactively protect customer data and IP [intellectual property],” Rajan Koo, chief technology officer of DTEX Systems, said in a press release.