Keeping up to date with the latest statistics on insider threats is critical for any organization that wants to be proactive in reducing potential risks. Being aware of current insider risks enables you to take the appropriate measures to mitigate them.
This article outlines key facts endorsed by industry experts, discusses the findings revealed by insider threat research, and shows examples of damaging insider incidents. Keep reading so you can make informed decisions when creating or modifying your insider threat program.
Research on insider threat statistics
To provide you with the most relevant information and facts, we’ve referenced the most credible insider risk reports:
Insider risk research reports
1
Cost of Insider Risk Global Report by Ponemon Institute
2
Insider Threat Report by Cybersecurity Insiders
3
Cost of a Data Breach Report by IBM Security
4
Data Breach Investigations Report by Verizon
These insider risk research reports provide key information on insider threats, the techniques and methods employed by threat actors, and the cost of remediation.
Top 3 insider threat actors and incidents from 2023
Any company can have a malicious insider.
The Insider Threat Report 2023 by Cybersecurity Insiders states that 74% of organizations are at least moderately vulnerable to insider threats. And that’s understandable — in 2022, lots of malicious insider attacks and leaks were caused by user negligence.
Companies continue to suffer from insider threats coming from these types of actors:
Regular employees
Regular employees have limited capabilities compared to privileged users, but they can still harm your organization. For instance, they can misuse corporate data, install unauthorized applications, send confidential emails to the wrong address, or become the victim of a social engineering attack.
Thus, phishing and compromised credentials were the two most common initial attack vectors in data breaches, according to the 2023 Cost of a Data Breach Report by IBM Security.
An example of an insider attack by a regular employee:
Affected entity
Incident type
Social engineering attack
Consequences
- More than 36 hours of IT downtime
- Nearly $10 million in one-time expenses
- An estimated $100 million loss on adjusted property earnings before interest, taxes, depreciation, amortization, and rent
- Reputational damage
In September 2023, a cybercriminal group called Scattered Spider conducted a successful social engineering attack targeting an employee of MGM Resorts International. By analyzing the employee’s account on LinkedIn and impersonating them on a call to the help desk, malicious actors managed to gain access to the organization’s network.
As the attack progressed, hackers gained super administrator privileges to MGM’s Okta, obtained Global Administrator privileges to their Azure tenant, launched ransomware attacks, and exfiltrated data.
To prevent further unauthorized access and data exfiltration, the organization had to shut down certain services. As a result, many customers were unable to enter their hotel rooms, use the elevators, or operate gaming kiosks and consoles in the organization’s facilities. Disruptions led to huge operational, financial, and reputational losses.
Third parties
Third parties are vendors, subcontractors, business partners, and supply chain entities that have access to your IT systems or data. Third parties may fail to follow your organization’s cybersecurity rules or violate them through malicious actions. Additionally, hackers can target a poorly secured third-party vendor to get inside your protected perimeter.
The 2023 Cost of a Data Breach Report by IBM Security shows that data breaches resulting from a software supply chain compromise cost 8.3% more and take 8.9% longer to identify and contain than other data breaches.
An example of a third-party insider risk:
Affected entity
Incident type
Zero-day vulnerability exploitation
Consequences
- Customers’ sensitive data leaked
- Reputational losses
- Potential legal liabilities
In June 2023, Zellis, a payroll provider serving the UK and Ireland, faced a significant data breach due to a zero-day vulnerability attack on its subcontractor. MOVEit, Zellis’s file transfer software, had a critical vulnerability that hackers exploited to gain access to Zellis’s system and steal their customer data.
Among the Zellis customers whose data was compromised were big organizations, including British Airways, the BBC, Shell, and Boots.
Privileged users
Privileged users are administrators, C-level executives, and others with a high level of access privileges. Privileged users hold the keys to your organization’s critical infrastructure and sensitive data, which is why they can pose a major insider threat to your organization.
Privilege misuse is among the top eight patterns found in data breaches, according to Verizon’s 2023 Data Breach Investigations Report.
An example of an insider threat caused by a privileged user:
Affected entity
Incident type
Data exfiltration
Consequences
- Leak of classified government and military data
- Threat to national security
- Risk of losing advantages over adversaries
- Risk of hindering the relationships with allies
In April 2023, the FBI arrested Jack Teixeira, a member of the Massachusetts Air National Guard, who was implicated in a Pentagon intelligence breach. Teixeira held a Top Secret security clearance and had access to classified US documents.
Over the course of several months, he had been sharing top-secret intelligence with his friends on Discord. The leaked data contained highly sensitive classified information about the US government and military operations as well as critical information about the ongoing war in Ukraine.
Now that we’ve examined some of the major insider-related security incidents of 2023, let’s take a close look at the most common insider attack vectors.
Request access to the online demo!
Discover Syteca’s diverse capabilities for effective insider risk management.
Common insider attack vectors in 2023
The insider categories we’ve looked at can commit data crimes in numerous ways: online or offline, intentionally or unwittingly.
Verizon’s 2023 Data Breach Investigations Report outlines two common insider threat vectors:
Privilege misuse
Privilege misuse means using privileged access inappropriately. Verizon’s 2023 Data Breach Investigations Report says that 89% of all privilege misuse cases are financially motivated.
The most common type of privilege misuse is privilege abuse. It accounts for the majority of all privilege misuse cases and refers to fraudulent or malicious activity with privileged access rights.
Miscellaneous errors
Miscellaneous errors are committed unintentionally by internal actors according to the 2023 Data Breach Investigations Report by Verizon. The main insider groups that commit such errors are usually privileged users (developers and system administrators) and other end users. Their top errors are:
Main reasons for insider threat incidents
Let’s now consider a slightly different classification of insider threat incidents: the root causes. The 2023 Cost of Insider Risk Global Report by Ponemon Institute outlines the following causes of insider threat incidents:
Credential theft
Credential theft is one of the most common ways external attackers use to get inside an organization’s protected perimeter. Using legitimate credentials, perpetrators can operate undetected inside a system for quite some time. To obtain user logins and passwords, perpetrators use social engineering, brute force attacks, credential stuffing, and other attack vectors.
Malicious intent
Insiders with malicious intent are harder to detect than external attackers or hackers, as they know your organization’s cybersecurity measures and sensitive data. Leveraging this knowledge, they may steal or leak data, sabotage operations, or provide external attackers with access to your resources. Security incidents involving malicious insiders cost organizations the most.
Employee or contractor negligence
Insider negligence causes most insider risk security incidents, emphasizing the need for user activity monitoring. Examples of human error are sending sensitive data to the wrong recipient, misconfiguring an environment, and unsafe work practices.
Factors contributing to the complexity of detecting and preventing insider threats
According to the 2023 Insider Threat Report by Cybersecurity Insiders, there are three most common factors that make timely detection of insider-driven attacks particularly difficult for cybersecurity teams:
Insiders’ legitimate access to an organization’s apps, network, and services
Insiders already have legitimate access to your network, holding a distinct advantage over external attackers. While an external hacker requires time to infiltrate your organization, insiders possess open access to the network areas they work in. That’s why traditional security measures, such as firewalls, don’t work against insider threats.
Wide use of SaaS apps that can leak data (e.g. email, cloud services, social media)
The use of SaaS in an organization makes it difficult for cybersecurity teams to monitor and control access to sensitive data. Insiders can access SaaS from anywhere, anytime. SaaS is also challenging to integrate with security tools, which may lead to gaps in your network security.
Increased use of personal devices for accessing corporate resources
Personal devices that employees use for work often don’t have proper security and monitoring tools installed. Moreover, devices located beyond your organization’s security perimeter pose a significant challenge to the timely detection and mitigation of security incidents.
Insider threats are becoming more frequent
The percentage of insider threats keeps rising. The 2023 Cost of Insider Risk Global Report by Ponemon Institute shows that the share of organizations facing 21 to 40 insider threat incidents per year has grown in recent years.
Insider threat incidents caused by each of the three key threat actors have become more frequent as well:
Let’s now take a look at how the rise in frequency of insider threat data breaches has influenced the time and cost of response and remediation.
Explore the power of Syteca now!
Experience the benefits of using Syteca for insider threat prevention and detection.
The cost of insider threats keeps rising
Quantifying the impact of an insider attack is challenging, since there are different types of damage and the outcomes of an attack may be non-linear and unclear. The total cost of an insider threat incident includes the direct cost of the data breach, indirect costs, and lost opportunity costs.
Components of the total cost of an insider threat incident
Direct costs
Money needed to detect, mitigate, investigate, and remediate the breach
Indirect costs
The value of resources and employee time spent dealing with the incident
Lost opportunity costs
Potential profit losses due to the attack
These costs keep rising each year.
According to the 2023 Cost of Insider Risks Global Report by Ponemon Institute, the total average cost of insider threat incidents increased by nearly 95% between 2018 and 2023.
Companies from North America suffer the most from insider attacks and their consequences; the average cost in this region increased from $11.1 million to $19.09 million in five years.
The average total spending on a single insider threat incident also went up 80% between 2016 and 2023. Mitigating insider threats involves spending on monitoring and surveillance, investigation, escalation, incident response, containment, ex-post analysis, and remediation.
To prevent the devastating consequences of these trends, you need to detect threats posed by employees in a timely manner — but that’s not as easy as it seems.
Detecting and preventing insider attacks takes time
The longer an insider incident goes undetected, the harsher the consequences. Some breaches may go undetected for months or even years.
Detecting the activity of malicious insiders is challenging, as they know exactly where sensitive data is stored and which cybersecurity solutions are implemented. Spotting unintentional insiders is also tricky, as it involves tracking the actions of all users in your organization.
It takes 86 days on average to detect and contain an insider threat incident, according to the 2023 Cost of Insider Risks Global Report by Ponemon Institute. Only 13% of insider-related incidents are contained in less than 31 days.
The 2023 Cost of Insider Risks Global Report by Ponemon Institute also shows that the longer it takes the organization to respond to a security incident, the higher its cost. The average yearly cost of insider threat incidents taking over 91 days to detect is $18.33 million.
Let’s now explore some strategies you can use to detect and prevent dangerous insider activity and handle insider risks.
What is the best strategy for protecting against insider threats?
The increase in insider risk necessitates the use of advanced procedural and technological insider threat protection measures.
Gartner predicts that half of all medium and large enterprises will adopt formal insider threat programs by 2025, up from 10% in 2023. According to the 2023 Cost of Insider Risks Global Report by Ponemon Institute, 77% of organizations have started or are planning to start an insider risk program.
With so many cybersecurity tools on the market, it’s hard to narrow it down to a particular line of defense and choose the insider threat management software that delivers the best result with the minimum effort.
User training and awareness, data loss prevention (DLP), security and event management (SIEM), privileged access management (PAM), and user behavior analytics (UBA) are the top five tools and activities for managing insider risks according to the 2023 Cost of Insider Risks Global Report by Ponemon Institute.
Syteca is an all-in-one insider risk management platform that covers most of these methods to help you efficiently detect and prevent insider threats within your organization:
- Privileged access management (PAM) features allow you to secure and granularly control access for all users in your organization. The PAM functionality in Syteca is enhanced with access request and approval procedures, two-factor authentication (2FA), password management, and other capabilities.
- User activity monitoring (UAM) capabilities let you monitor and record user activity across all of your organization’s endpoints, enabling you to increase visibility, detect insider threats, and gather cybersecurity evidence. Syteca supports monitoring on various platforms including Windows, Linux, and macOS.
- Incident detection and response functionalities provide real-time alerts that allow your security officers to quickly detect and respond to insider threats. You can also configure the system to respond to threats automatically. On top of its rule-based alert functionality, Syteca has an AI-based UEBA module that helps you detect insider threats by comparing a user’s activity to their baseline behavior.
Syteca also offers robust reporting, investigation, and data anonymization capabilities that can help you comply with the requirements of popular cybersecurity laws, standards, and regulations in your area and industry. For better usability, you can integrate Syteca with your organization’s existing SIEM system.
Conclusion
In this article we’ve examined the most informative and comprehensive studies of insider threat statistics to provide you with relevant insights and give you an idea of what adjustments your organization’s cybersecurity needs. The main takeaways from these insider threat analyses show that:
- The frequency, cost, and time for detecting and preventing insider attacks are still rising.
- The main insider threat actors remain the same, affecting corporate security either intentionally or unintentionally.
- Security teams struggle with managing insider risks due to insiders’ legitimate access to an organization’s resources, wide use of SaaS apps, and increased use of personal devices.
- New insider threat challenges require applying sophisticated new technological solutions.
Implementing comprehensive insider threat software such as Syteca can help your organization secure sensitive data from malicious and inadvertent insiders.
Want to try Syteca? Request access
to the online demo!
See why clients from 70+ countries already use Syteca.