Despite rising insider risk costs, budgets are being wasted in the wrong places

The cost of an insider risk is the highest it’s ever been, as organizations spend more time than ever trying to contain insider incidents, according to DTEX Systems.

The average annual cost of an insider risk has increased to $16.2 million – a 40% increase over four years. Meanwhile, the average number of days to contain an insider incident has increased to 86 days.

In addition to analyzing the costs incurred when an organization experiences an insider security incident, this year’s study includes first-time insights into how organizations are funding insider risk programs. The findings show that 46% of organizations plan to increase their investment in insider risk programs in 2024. The study also found that 77% of organizations plan to start an insider risk program.

“We are encouraged that organizations plan to increase investments in insider risk programs because it’s required by customers and new industry regulations – not just because of previous incidents. This is a significant change that portends long-overdue attention and prioritization,” said DTEX Systems CTO Rajan Koo.

Inadequate investment in insider risk management

The momentum around insider risk management comes amid soaring costs, frequency, and time to contain insider-related security incidents. According to research analyst Gartner, insider risk management refers to “the tools and capabilities to measure, detect, and contain undesirable behavior of trusted accounts within the organization.”

Despite the growing cost of insider risks, 88% of organizations spent less than 10% of their total IT security budget on insider risk management. Organizations had an IT security budget of $2,437 per employee, yet only 8.2% (equivalent to $200 per employee) was allocated specifically to insider risk programs and policies.

The remaining 91.8% of IT security budget was spent on external threats, despite more than half of organizations attributing social engineering as a leading cause of all outside attacks.

Koo said the findings show that budgets are being wasted on reactive “symptom management” despite growing evidence that the root cause starts within. “The findings demonstrate that the human, manifested as an insider risk, is the leading cause of all data breaches – including the socially engineered,” he said. “This highlights a widespread misunderstanding of the types of insider risks and the failure to proactively protect customer data and IP.”

Dr. Larry Ponemon, chairman of the Ponemon Institute commented: “Our goal in conducting this research is to create awareness of the significant costs incurred when employees are negligent, outsmarted or malicious in the handling of an organization’s sensitive data. We believe this study is unique because it analyzes the costs based on the type of insider, the time it takes to contain the incident and the technologies that are most effective in reducing the costs. Such information is beneficial in creating a strategy to deal more effectively with the insider risk while reducing the costs.”

Insider risk program funding set to increase

The average annual cost of an insider risk has risen 40% over four years to $16.2 million – up from $15.4 million in 2022. The average number of days to contain an insider incident in 2023 has increased to 86 days. The longer it takes to respond, the higher the cost ($18.33 million for incidents that take more than 91 days to contain).

Organizations had an average IT security budget of $2,437 per employee, yet only 8.2% (equivalent to $200 per employee) was allocated specifically to insider risk management programs and policies.

Only 10% of insider risk management budget (averaging $63,383 per incident) was spent on pre-incident activities: $33,596 on monitoring and surveillance, and $29,787 on ex-post analysis (this includes activities to minimize potential future insider incidents and steps taken to communicate recommendations with key stakeholders).

The remaining 90% (averaging $565,363 per incident) was spent on post-incident activity cost centers: $179,209 on containment, $125,221 on remediation, $117,504 on investigation, $113,635 on incident response, and $29,794 on escalation.

Despite the fact that most organizations allocate an average of 8.2% of their IT security budgets to insider risk programs, 58% view current spending as inadequate and 46% expect funding to increase in the next year. 77% of organizations have started or are planning to start an insider risk program.

Non-malicious insiders cause most insider incidents

75% of respondents said the most likely cause of insider risk is non-malicious: a negligent or mistaken insider (55%) or an outsmarted insider who was exploited by an external attack or adversary (20%).

53% of organizations said social engineering (including phishing, pretexting and business email compromise) was a leading cause of non-insider or external attacks.

The average activity cost for financial services is $20.68 million and services (including accountancy, consultancy and professional services firms) is $19.09 million.

Among organizations that have or plan to have a dedicated insider risk program, 52% report that top-down support and championing of the program (e.g., an insider risk steering committee) is a key feature. 51% have a dedicated cross-functional team from legal, human resources, line of business and IT security.

One-third of organizations view artificial intelligence and machine learning as essential to the prevention, investigation, escalation, containment and remediation of insider incidents, while 31% view it as very important.