Insider risks are getting increasingly costly

Insider risks are getting increasingly costly

The cost of cybersecurity threats caused by organisation insiders rose over the course of 2023, according to a new report from the Ponemon Institute and DTEX Systems.

The potential monetary losses from security incidents caused by insider activity — purposeful or accidental — is sharply on the rise, as businesses continue to misunderstand the threat they pose.

According to a report released today by AI-based risk management technology provider DTEX Systems in partnership with security research firm Ponemon Institute, companies are generally underfunding their insider risk programs, spending roughly $200 per employee on that type of security. The report, which was based on a survey of more than 1,000 IT and IT security decision-makers, found that that 58% of the respondents didn’t think that was enough money.

The consequences of that underspending could be serious, according to the report. The total average cost of an insider risk rose from $15.4 million in 2022 to $16.2 million in 2023, while the average number of days required to contain a security threat that originated with an insider rose from 85 to 86 in the same time period.

Ponemon classified insider threats into three categories. First, threats that arose because of malicious insiders looking to harm the company, like disgruntled employees. Second, threats that arose because an outside attacker “outsmarted” a vulnerable employee, who was taken in by a phishing scam or similar. Finally — in the most costly category — the report described negligent or mistaken insiders, who ignored warnings from security systems or misconfigured a system.

More than half, or 55%, of money spent on insider incident response went toward problems caused by negligence or mistakes, compared to 20% for novel attacks that simply outsmarted business staff or IT workers, and 25% for those caused by actively malicious insiders.

This means that security teams, the report’s authors asserted, could save a lot of money by focusing on detection and prevention, rather than being forced to spend their funding on remediation. In the final estimate, the study found that just 10% of insider-risk management budgets were spent on pre-incident outlays — roughly $64,000 per incident. The remaining $565,363 per incident went toward containment, remediation, investigation, incident response and escalation.

“Funding is being inadvertently misdirected due in part to a widespread misunderstanding of insider risks and how they manifest based on early warning behaviors,” the report said. “A whole-of-industry approach is required to educate and find common ground on how we define and discuss insider risks with enterprise and government entities.”

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


EDGE 2024

Register your interest now for EDGE 2024!



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments