Following the release of the 2023 Cost of Insider Risks Global Report, we are happy to present the key takeaways from our latest videocast, featuring DTEX CTO Rajan Koo and Dr. Larry Ponemon. Hosted by cybersecurity expert Christopher Burgess, this episode of Conversations from the Inside covers must-know insights for how to slash the $16.2M cost of insider risks.
It Pays to be “Left of Boom”
Unlike previous reports, this year’s report shifts the focus from insider threats to insider risks – hence the title, Cost of Insider “Risks”. This was a very intentional decision on our part, as we felt it was important to broaden the aperture to examine insider risk more holistically. Part of that broader examination is a focus on insider risk program budgets – a first in this year’s report.
While most peoples’ attention will be drawn to the big number ($16.2M, the average annual cost of insider incidents) the average number of days to contain an incident is equally important, this year stretching to 86 days. The longer it takes to respond, the more it costs. During their conversation, Dr. Ponemon, Rajan and Christopher talked about the comparative impact of spend before and after an insider incident. When the focus is on risk mitigation and prevention as opposed to incident response and containment, enterprises can minimize the cost of insider risk before it becomes a costly problem.
And speaking of costs, our experts talked about a conversation that’s taking place in many organizations today: budgetary responsibility for insider risk programs. It’s a responsibility that has fallen predominantly to IT and security teams, but as they discussed, it’s one that should be shared by departments organization-wide, including legal, HR, risk and compliance.
Where There’s a Will, There’s a Way
When people hear about insider risk, it’s easy for the mind to immediately draw connections to high-profile examples like Edward Snowden, where an employee makes a conscious decision to exfiltrate data or cause harm. But the report found that most insider incidents are caused by non-malicious insiders. In this discussion, our experts talked about the types of non-malicious insider risks – negligent, mistaken and outsmarted – that make up the vast majority (75%) of incidents.
It’s an interesting conversation; as Christopher said, “People are like water… they’ll find a way.” Our experts noted in the discussion that the elements that make humans risky are not necessarily failures. Often, it’s an employee who is looking for ways to be productive that introduce the greatest level of risk. When your best and most productive workers are doubling as your riskiest workers, it points to the need to educate employees and help them understand the role that each individual plays in establishing a culture of security.
While the cost of insider incidents has never been higher, there are signs of positive change on the horizon. Insider risk programs are maturing, and a majority of companies (77%) are either putting in place or planning to put in place insider risk programs. While nearly a quarter of organizations have existing insider risk initiatives as part of their broader cybersecurity program, 27% are already rolling out dedicated insider risk programs. This is a level of maturity that would have been unheard of just a few years ago.
As per the discussion, the report also found that pre-incident mitigation is the fastest-growing cost center for insider risk management. While these line items, which include monitoring and ex-post analysis, still only account for 10% of insider risk management budgets, respondents acknowledged the need to invest more in these areas.