The costs associated with insider threats continued to rise in 2022.
This is bad news for organizations that are already under financial pressure from the uncertainty of the economy. As interest rates continue to climb and customers become more conservative about how they spend, the last thing that any organization needs is to be putting out fires from security incidents coming from arsonists inside their own house.
And yet, a variety of factors, not the least of which are sizable layoffs hitting companies and the fluidity of access to data, make the possibility of an insider threat increasingly likely.
According to the Ponemon Institute’s 2022 Cost of Insider Threats Global Report, there has been a 44% increase in the number of “insider-led cybersecurity incidents” brom 2020 to 2020.
This spike in cases has led to a real dollars and cents impact to the tune of a jaw dropping $17.53M annually for an organization in North America to handle. This number jumps even higher depending on industry, with financial services reporting closer to the $21.25M average.
Defining the Insider Threat
Defining who exactly falls under the category of insider threat is a little bit complicated. Let’s try to break them down by types and then work out the details from there:
- Malicious Insider
In the most straightforward meaning of the term, we think of the classic malicious insider who has legitimate credentials to access their organization’s data and resources, and then abuses that access for financial, political, or personal gain. A reported 26% of incidents come from these malicious folks according to the Ponemon Institute.
This might be theft, destruction, exposure, or other sorts of misuse of the data.
Think about the employee in accounts payable who uses her access to the company’s financial tools to send herself payments. Or the angry developer who steals source code to sell to a competitor. These cases are a little bit oversimplified but you get the gist.
But not every insider is malicious, or even knows that they are a threat.
- Negligent Insider
According to the Ponemon Institute’s report, a whopping 55% of insider threats were the result of negligence. And at a total cost of $6.6M, they are also the most expensive among the three types.
Without meaning to do harm, these folks make mistakes like not following procedures for secure data handling, misconfigure resources like an S3 bucket, or even just send sensitive information to the wrong person. Who among us has not been brought low by simply clicking through autofill in the “to” section of an email?
This sort of case is usually when an employee mishandles sensitive information. The recently reported incident of a Credit Suisse employee improperly sending customer data outside of the organization’s systems is a pretty classic example.
- Credentialed Insider
These are not exactly insiders in the classic sense of being one of your employees. These are external actors who come in and take over your have stolen and are misusing legitimate credentials.
While “only” comprising 18% of the cases in the Ponemon Institute’s report, credentialed insiders are among the most difficult to deal with because they are able to take over employees’ accounts and use them to worm their way around inside the organization in search of something worth stealing or disrupting.
At a reported average cost of $805k to deal with per incident, this type of insider is expensive for an organization.
As we see, each of these insiders has their own set of particulars that set them apart from one another in terms of motivation and the sorts of threats they pose. Though by and large financial gain is clearly the main driver for our malicious actors out there, mixed with a smattering of personal vendettas in some cases where they hope to hurt their soon to be former employer.
Another factor that sets them apart is the costs that they can incur on an organization.
Costs of an Insider Threat Incident
Across the board the cost of an insider threat incident has skyrocketed.
Returning to the Ponemon Institute’s report, they tell us that from 2020 to 2022 there was a 34% increase in cost to global organizations, going from $11.45M to $15.38M. Remember that the costs are higher for North American businesses.
But where do these numbers actually come from in terms of expenses?
Let’s break it down by categories.
- Detection of Insider Threats
The first step to dealing with an incident is to understand that you have one on your hands. You can either wait to find your organization’s name in the headlines or, preferably, use detection tools to pick up on the insider earlier in the flow.
This will still cost you. Organizations spent an average of $35k on detection tools in 2022. And for those that caught an insider before harm was caused, this was money well spent.
- Investigation, Escalation, and Response
Once your detection tools pick up the scent of an insider, it is time to bring in the Incident Response team. While some larger organizations have their own in-house capabilities, it is pretty common for crews like Mandiant or one of the other big players to start handling the response. Hopefully they can put a stop to the damage before it gets worse.
Average costs here are $280k, but this can quickly spike up depending on the size of the targeted organization and complexity of the case.
- Containment, Analysis, and Remediation
After the initial incident has been addressed, the team can step in to start repairing the damage. This includes working to understand the extent of the attack, assessing the harm done, and plugging the holes to reduce the chance of something similar happening again soon.
Or at least be better prepared for it when it does because the average here comes out to $331k per incident.
These costs can quickly add up on an organization’s ledger, but they are still only a part of the total incurred.
Longer Term Costs Insider Threat
Speaking to the experts, much of the real spending on an insider threat incident comes after the attack has been discovered and the response has started. Here are three of the biggest costs that an organization is likely to encounter.
- Down Time = Lost Revenue
Loss of productivity is a major concern for organizations while they work to contain and remediate the incident. During this time, employees cannot fully use their systems and may be otherwise inconvenienced by the response operations.
The time that it takes to respond is taking longer than it used to. In 2022, the average went up to 85 days from 77 two years previously. Many times, the process can go way over 90 days, shooting up costs.
- Harm to Reputation
Some customers may be put off from doing business with an organization if they do not feel that they can trust them to keep their data and even money safe.
This is a bit of a weird issue to get hung up on because insider threats, like data breaches, are now so common. But trust is an intangible that can have very real impacts on your reputation.
- Compliance Consequences
Just about every sort of organization that handles payments or other types of sensitive information, like the personal information of their customers, is subject to regulations that dictate how these data are to be handled.
Mishandling, theft, or damage of personally identifiable information (PII) for example can lead to heavy fines if the organization is shown to have not taken the proper steps to protect it.
There is always also the possibility that someone may try to claim harm and launch a lawsuit for damages. This will likely be more in cases where protected information was exposed.
How to Protect Against Insider Threats and Save on Costs
Here are five tips for saving your organization stress and hopefully some unnecessary spending.
- Implement Comprehensive Employee Security Training
The key is not only catching insiders early, but also working to prevent them from happening in the first place by educating your team on how to avoid costly mistakes.
Be clear and up front about secure and approved ways of handling data. Let them understand that their behavior can have costly consequences for the organization and that you take the requirement to follow security policies seriously.
In addition to the negligent insider concern here, part of your education should focus on how to identify suspicious activity by colleagues. This does not mean expecting your workforce to turn into a team of informants, but keeping an eye out for furtive activities that raise red flags. Your ability to foster a trusting environment will play an important role in your success here.
- Monitor User Behavior for Activity in Sensitive Resources
Determining if suspicious or malicious behavior is underfoot depends on finding deviations from the norm.
In order to do that, you need to establish a baseline of normal behavior for your employees. Especially as it pertains to how they interact with sensitive data.
User Behavior Analytics (UBA) tools give you the ability to monitor for changes that may indicate that either the employee’s account has been compromised because they are logging in at weird hours perhaps, or that they are attempting to access resources that are not part of their routine.
Insider threat behavior is surprisingly consistent in the paths that people take to exfiltrate stolen data. Catching it is simple enough if you have the tools in place to monitor for it.
- Block Transfers of Sensitive Files to External Clouds
The cloud has made it easy to work from anywhere and collaborate with everyone. This is a mark of progress, but it comes with challenges.
An employee sending themselves files to work on at home via Google Drive or a file sharing system can be perfectly innocent. But it can also be a violation of regulations requiring that the organization maintain full control of sensitive data like patient info or PII.
Use controls to select which types of files are not allowed to be shared to external accounts or applications. You can choose to assess according to a threat model or compliance obligations.
- Make Multi-Factor Authentication (MFA) Mandatory
According to Microsoft, “MFA can block over 99.9 percent of account compromise attacks.”
The veracity of this statement is questionable given the ability of attackers to bypass MFA with a little bit of clever phishing, but the point stands.
It is way too easy for an attacker to find an employee’s credentials in a dump online and then attempt to login to their accounts. Adding MFA creates an additional step that can slow down attackers and raise the costs for them in terms of how much time they are willing to invest in targeting you.
- Run User Risk Assessments
Ideally we would want to give everyone our full attention when it comes to monitoring their behavior. But we need to be smart with our time and resources, harnessing a bit of automation to help us focus where it counts most.
Build a threat model, primarily around those privileged users with the most access to sensitive resources, and understand which ones pose your biggest risks, and which lower privileged users require less of a direct touch.
You can log sessions, track their access to PII or payment data, and take additional steps to ensure that the users you have identified as higher risk are acting securely. Set automated alerts to get notified of suspicious activity.
Turn the Odds in Your Favor
Given the rising trend of insider threats, chances are that an incident will occur at some point during the year.
In 2022, 67% of organizations experienced at least 21 insider threat incidents. Regardless of the motivation, these cases can cost organizations value time and money.
Using the right combination of person-based engagement and automated monitoring tools, organizations can take actionable steps to protect themselves from insider threats.