July 8, 2020

Volume X, Number 190

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

Frequency and Cost of Insider Threats Continue to Increase

The Ponemon Institute recently issued its 2020 Cost of insider Threats Global Report, which finds that the frequency and cost of insider threats is continued to increase. Sponsored by ObserveIT and IBM, the 2020 report is the third consecutive report that studies insider threats and their impact on businesses in terms of frequency, cost and time to recover. “Insider threats are defined as:

  • A careless or negligent employee or contractor

  • A criminal or malicious insider or

  • A credential thief.”

According to the Report, the “key takeaway is that, across all three insider threat types…both the frequency and cost of insider threats have increased dramatically over the course of two years….the overall cost of insider threats is rising , with a 31 percent increase from $8.76 million in 2018…to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47 percent in just two years, from 3,200 in 2018…to 4,700 in 2020.This data shows that insider threats are still a lingering and often under-addressed cybersecurity threat within organizations, compared with external threats.”

Although negligent insiders caused more incidents than any other type (62 percent of all incidents), credential theft cost companies the most. The average cost of an insider threat incident caused by a negligent or careless employee is $307,111, while in contrast, the theft of users’ credentials cost an average of $871,686, and the theft of privileged users’ credentials (25 percent of all incidents) cost an average of $2.79 million. Criminal and malicious insiders (14 percent of all incidents) cost organizations an average of $756,760 per incident.

A significant cost associated with insider threats is attributed to the investigation of the incident, which includes monitoring and surveillance, incident response, containment and remedial actions. The average cost of the investigation following an insider threat increased 38 percent over the past two years to $103,798.

In addition, the Report states that according to the survey results, “it takes an average of 77 days to contain each insider threat incident. Only 13 percent of incidents were contained in less than 30 days.” The fastest growing industries for insider threat included the retail industry and financial services.

The Report outlines several risk factors that companies may wish to consider in determining the risk for an insider threat, which include: 1) employees are not trained on laws or regulatory requirements related to their work that affects the organization’s security; 2) employees are unaware of steps to take so their devices are secured; 3) employees are sending highly confidential data to an unsecured location in the cloud; 4) employees break the company’s security policies to simplify tasks; and 5) employees expose the organization to risk if they are not keeping devices patched and upgraded.

These are valuable tips for companies to consider when determining resources to invest in cybersecurity. Employees and insider threats continue to top the list of risks, and providing employees and contractors with education and tools, and implementing measures to catch malicious or criminal insiders are important components of a risk management program.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 41


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...