How to Get Buy-In for Your Insider Risk Management Program

Insider risk is a critical yet sometimes misunderstood or overlooked aspect of business risk. Many organizations lack robust Insider Risk Management (IRM) programs, relying on point products like Data Loss Prevention (DLP), User Activity Monitoring (UAM), and User and Entity Behavior Analytics (UEBA). While these tools offer some protection, in isolation, they lack the behavioral context that’s required to address the core issue: the human element. Additionally, many companies can’t quantify insider risk, or the impact of an insider incident that results in loss of IP, making it difficult to prove return on investment (ROI) for their IRM program. This in turn makes it more difficult to secure adequate budget and buy-in.

The truth is insider risk is often the missing piece of a well-oiled cybersecurity program. This is especially true at companies without large security budgets or regulation driving necessary programs. With so much focus on external threats, it’s not uncommon for companies to underestimate the risks from the people with authorized access. Regardless of the insider’s intention, the monetary damage can be quite high; the average cost of an insider incident is $16.2 million, and the longer it takes to contain the incident, the higher the cost. This doesn’t even account for reputational impact and the net effect on the bottom line.

Attackers have not overlooked the propensity to underestimate insider risks. In fact, they are exploiting it. External attackers are now purchasing access from insiders, blackmailing insiders, or compensating insiders to steal data on their behalf. Our DTEX i³ investigators have also had experience with nation state espionage, where the agent has tried (but failed) but steal IP.

Recent blogs and news articles have highlighted how North Korea military personnel are leveraging AI to gain employment at legitimate companies, only to quickly install malware or try to steal intellectual property. In fact, DTEX caught one such person during the interview process.

However, despite the amount of damage an insider can cause an organization, budgets to address and prevent insider risks aren’t keeping up. In fact, 88% of organizations allocate less than 10% of their cybersecurity budget toward IRM, while the bulk of their cybersecurity budget goes toward external threats.

So how can security teams get executive buy-in for IRM without having to go through a costly and (sometimes) very public incident? It starts with executive education and a thorough understanding of business risk from the security team.

Raising awareness of what constitutes insider risk

Insider risk doesn’t generate the same type of buzz as a ransomware cybercrime ring or a nation-state actor trying to infiltrate critical infrastructure, outside of certain government circles. Yet when insider activity does make the headlines, it is usually a shocking betrayal of trust that casts a negative shadow over the entire organization.

Cyber incidents already bring reputational damage to organizations; but an insider-caused event can cause even more reputational damage due to the loss of trust about the victim organizations’ own employees.

Senior management may also lack awareness about what constitutes insider risk and how damaging it can be. It can be difficult to quantify the risk from an insider incident or even to quantify the value of lost data. Some organizations have built programs where they quantify the value of critical data and are able to justify the existence of their IRM program through the amount they save their organization every time an insider is caught trying to steal data or take data when they leave the organization. Additionally, it’s difficult to properly monitor what employees are doing with their credentials and their access to systems, and organizations want (and need) to trust their employees.

Why business leadership should take insider risk seriously

CISOs allocate budgets based on what their perceived biggest security risk areas are. For example, a Deloitte study found that in the financial industry, digital transformation is driving cybersecurity spending, followed by regulatory compliance concerns. Overall, much of the CISO’s budget goes to staffing or into IT costs. But if you search for information on the top areas of cybersecurity spending, you’ll find ransomware and phishing, threat detection and endpoint security. What you don’t find on many of those lists is IRM or insider threat protection.

Cyber incidents caused by insider risks, whether intentional or unintentional, could result in millions of dollars in lost revenue, fines, and other fees. The DTEX and Ponemon study found that it takes, on average, 86 days to contain an insider incident. If it takes just five more days or more before the incident is discovered and contained, the costs jump up 13% to $18.33 million.

Business executives understand that all insiders, intentionally or not, pose risk to their organization and it’s the security team’s job to implement a program to prevent risks from turning into threats or incidents. Insider risk can stem from poor cybersecurity awareness training, lack of awareness of company policies, or lack of understanding the value of company IP. It could also stem from a serious life event, like a family member’s cancer diagnosis or a partner’s lost income. Both scenarios have the potential to turn a benign insider into an insider threat. Sometimes, the insider unintentionally becomes a threat. In other cases, the insider may accept money from an external threat actor in exchange for insider information or credentials.

Insider risk can also have a trickle-down effect. For example, a former employee of an IT vendor continued to have access after termination. The former employee took revenge by accessing the medical records of more than a million patients of a medical company that used the IT vendor for technology services. The failure to protect from insider risks and threats in one company is now leading to significant financial and reputational damage to a third party.

Regardless of how insider risk manifests, the truth is that insider risk touches all cybersecurity and business risks. It is a complex human-centric challenge that requires the right funds and attention to drive positive change and proactive protection. This is especially so with the advent of AI and background geopolitical tensions adding more capability and incentive to target and exploit insiders.

Having the conversation with business leadership

Educating senior leadership about the business, financial, and security risks associated with insiders is crucial before seeking additional budget. Senior leadership needs to understand the risk insider threats pose to their organization compared to all the other business risks they are faced with daily.

Organizations need to ensure they are not overspending on any aspect of their security program, and that new technologies they spend money on deliver better value and a lower total cost of ownership (TCO) than what currently implemented. One clear way to highlight the risk from insider threats is to use recent headline examples from your industry.

The sample list below clearly demonstrates the risk from insiders, and why having a robust IRM program is important:

• Malicious actors are spoofing real URLs and email addresses from legitimate companies to launch phishing attacks, designed to exploit user behaviors.
• When a company has thousands of endpoints, it increases the opportunity for insider risk through compromised, shared, stolen or lost devices.
• An employee’s use of a thumb drive ends up infecting devices across multiple retail locations.
• An accidental misconfiguration in code by an employee leads to exposed sensitive data.
• The leak of classified Pentagon documents through a popular messaging platform.
• Two former Tesla employees leaked more than 75,000 individuals’ personal information to a foreign media outlet.
• Google engineer steals AI trade secrets for Chinese companies.

Action items for securing buy-in for your insider risk program

Asking for more budget is never easy, so it’s imperative to show the business value and long-term cost prevention or ROI. Long-term cost prevention manifests through not paying to investigate a breach, preventing a breach in the first place, preventing IP from being taken by exiting employees, and through tool consolidation and capabilities aggregation. The cheaper solution is often the least impactful and will return the lowest amount of long-term cost prevention.

When making the case for additional budget for your IRM program, there are some clear steps to take. The following list summarizes those steps:

• Present the budget ask as a business enabling expense rather than an additional security expense. Even though the budget will likely be assigned to the CISO, IRM is a business risk just as much as it is a security risk.
• Discuss insider risk and its relationship to regulatory compliance in your industry. Insider risk management programs should be part of the organization’s risk and governance programs.
• Prepare a realistic IRM program budget, complete with the necessary tools, training, and headcount. It’s important not to underfund the program such that you need to request additional budget after the first ask. It’s also important to understand your organization’s risk tolerance, data sensitivity, systems architecture, infrastructure, etc., ensuring the program is comprehensive and tailored for your environment.
• Develop a quantifiable method for tracking the ROI of the IRM program. Quantifiable ROI always helps justify additional spend because senior leadership can quickly understand the value for their money. Showing the numbers of cost versus business outcomes is necessary. Some ways to quantify the ROI from the spend are by assigning a value to specific IP (research funding, sales, etc.) to determine how much it would cost if the data was taken.

The threat landscape is rapidly shifting, with attackers now frequently leveraging insiders to access sensitive information. As a result, the distinction between external and internal threats is becoming increasingly blurred, making it harder to identify and mitigate risks. Insider risk management presents a powerful opportunity to significantly and proactively reduce the risk from insider and external threats while simultaneously ensuring a trusted and protected workforce. Understanding the risk from insiders and how insiders contribute to the risk profile of an organization will help to properly justify budget for a comprehensive IRM program. Many of our customers have chosen to make IRM a board and c-level issue and have worked with us to build world class IRM programs. We’re here to help.

Quick FAQ

What is the cost of insider risks?

The cost of insider risks has surged significantly, now averaging $16.2 million annually—up 40% over the past four years, according to the 2023 Cost of Insider Risks Global Report by Ponemon Institute and DTEX Systems. This increase reflects both direct costs and the growing complexity of managing insider insiders. On average, it takes 86 days to contain an insider incident, with costs rising to $18.33 million for incidents that extend beyond 91 days.

Despite these high costs, organizations typically allocate less than 10% of their IT security budget to insider risk management (IRM). This inadequate funding often results in reactive rather than proactive measures. Notably, 58% of organizations view their current insider risk budgets as insufficient, prompting many to plan increased investments in 2024.

The majority of insider incidents are attributed to non-malicious actions, such as negligence or mistakes, underscoring the need for better proactive measures. Effective IRM requires a strategic approach, integrating technology and human factors, to reduce costs and enhance overall security.

What is insider risk management?

Insider risk management (IRM) is a strategic approach designed to identify, assess, and mitigate risks posed by individuals with access to an organization’s critical assets and data. This includes employees, contractors, partners, and other third parties who may act with either malicious or non-malicious intent. The primary objective is to protect the organizations and government entities from data theft, espionage, system sabotage, fraud, as well as other external or third-party attacks that involve exploitation or collusion with an insider.

IRM blends behavioral science with technology, emphasizing a holistic approach that integrates people, processes, and technology. It typically operates under a dedicated IRM program that identifies potential risks, monitors user behavior, implements security controls, and promotes a culture of security awareness and mutual trust. Effective IRM balances data-driven technical solutions with human-centered approaches, ensuring both the protection of organizational assets and the preservation of employee privacy.

Collaboration across departments (often HR, legal, IT, security, and risk) and clear communication are critical for a unified approach to mitigating insider risks. By leveraging data, controls, and expertise from across the organization, IRM aims to detect and address insider risks comprehensively and proportionately, aligning with broader risk management strategies to ensure consistent handling of all enterprise-level risks.

Download the latest Global Cost of Insider Risks Report to understand the insider risk landscape, the power of being proactive, and how organizations are planning to navigate insider risk management in 2024 and beyond.