Last week DTEX released the 2023 Cost of Insider Risks Global Report, independently conducted by Ponemon Institute.
The study is the largest of its kind, featuring data-driven insights and responses from 1,075 IT and IT security practitioners from 309 organizations that experienced one or more insider incidents over the past year.
The most salient findings from the 2023 Cost of Insider Risks Global Report include:
➡ $16.2M average annual cost of an insider risk per organization (40% increase over four years)
➡ 86 days average time to contain an insider incident
➡ The longer it takes to respond, the higher the cost ($18.3M at 91 days)
➡ Only 8.2% of annual IT security budgets allocated to insider risk management
➡ And, of that 8.2%, 91.2% is dedicated to post-incident activities.
The silver lining?
➡ 77% of companies have started or are planning an insider risk program
➡ 58% say current funding on insider risk management is inadequate
➡ 46% will increase insider risk management funding in 2024
➡ 64% view AI/ML as essential or very important in the proactive detection of insider threats.
Our infographic below illustrates an important lesson: It pays to be proactive.
Understanding Risk: The First Step to Getting “Left of Boom”
What makes the 2023 Cost of Insider Risks Global Report unique is the focus on insider risks as opposed to insider threats, and the insights into how organizations are funding their insider risk programs.
For the first time, we intentionally called the report The Cost of Insider ‘Risks’. Why? Because, as the findings show, most incidents (75%, in fact) are the result of ‘non-malicious’ insiders – not ‘threats’. And to curb the cost and time of resolving insider incidents, a human-centric approach that exercises proportionality is key. To exercise proportionality, one must first understand the types of insider risks.
There is a huge educational piece that must be had around the way we define, discuss and address insiders. DTEX has long advocated MITRE Corporation’s Insider Threat Types, because they provide a solid framework for understanding risk from a human lens (which is critical when trying to solve what is fundamentally a human challenge).
Per MITRE’s framework, the insider types are:
- Malicious: An insider who seeks to cause harm (e.g. espionage, IP threat, unauthorized disclosure, sabotage, fraud, workplace violence)
- Non-malicious: An insider who does not seek to cause harm:
- Negligent: Causes harm through carelessness or inattentiveness (e.g. ignores warnings)
- Mistaken: Causes harm through a genuine mistake that cannot be attributed to carelessness (e.g. pressing the wrong button in a noisy environment)
- Outsmarted: Causes harm through being reasonably outmaneuvered by an attack or adversary (e.g. being phished).
By understanding and having a common language for defining and discussing insider risks, practitioners can exercise proportionality in their resolution in a way that is both cost effective and fair.
By contrast, when organizations attempt resolution with a ‘one size fits all’ approach, they risk dismantling the trust of their workforce and jeopardizing the very mitigation they were striving for.
Insider Risk Budgets: Setting the Benchmark
As highlighted above, this year’s report features first-time insights on how organizations are funding their insider risk programs. Respondents were quizzed on how they spend their insider risk budgets, where their insider risk program resides within their organization, and the factors that make for a successful insider program; download the report for the complete findings.
As per the conclusions: “To date, most budgets have been pivoted on post-incident activities. In fact, of the 8.2% budget allocated to insider risk management, 91.2% was spent reacting to the incident. This has to change.”
The conclusions show a chart of insider risk cost vs budget by employee count. For IT and security practitioners, this is a handy resource to show executives and decision-makers, as it clearly demonstrates that budgets are being misspent on “symptom management”. Importantly, it highlights the need to focus on the root cause by prioritizing insider risk management with a proactive and human-centric approach.
There is a wealth of useful insights to be gained from the 2023 Cost of Insider Risks Report. If you’ve already downloaded the report and are hungry for more commentary, be sure to rewatch the Conversations from the Inside videocast featuring Dr. Larry Ponemon and DTEX CTO Rajan Koo.
Alternatively, contact us for a discussion on how you can maximize your insider risk program and budget to get “left of boom.”