Keeping up to date with the latest statistics on insider threats is critical for your organization to be proactive and mitigate potential risks.
This post outlines key findings from industry experts and shows recent insider threat facts and examples to help you better understand the risks and adjust your cybersecurity measures.
Research on insider threat statistics
We’ve selected insider threat cybersecurity statistics from some of the most credible reports that provide key information on insider threats, the techniques and methods behind them, and the cost of their remediation:
Top 3 insider threat actors and incidents from 2022
Any company can have a malicious insider.
The 2023 Insider Threat Report by Cybersecurity Insiders states that 74% of organizations are at least moderately vulnerable to insider threats. And that’s understandable — in 2022, we saw lots of malicious insider attacks and leaks caused by user negligence.
Companies continue to suffer from insider threats coming from these types of actors:
Regular employees have limited capabilities compared to privileged users, but they can still harm your organization. For instance, they can misuse corporate data, install unauthorized applications, send confidential emails to the wrong address, or become the victim of a social engineering attack.
An example of an insider attack by a regular employee:
|Type of incident||Data theft by a departing employee|
|In May 2022, Yahoo’s senior research scientist Qian Sang stole confidential information about Yahoo’s AdLearn product. The compromised data included 570,000 files containing source code, backend architecture information, secret algorithms, and other intellectual property. Sang downloaded this data to his personal storage devices minutes after receiving a job offer from one of Yahoo’s competitors. After discovering the incident, Yahoo has since filed three charges against Sang, including for IP data theft, asserting that his actions exposed the company’s trade secrets, giving competitors a significant edge.|
Privileged users are administrators, C-level executives, and others with a high level of access privileges. Privileged users hold the keys to your organization’s critical infrastructure and sensitive data, which is why they can deal great insider threat damage to your organization.
An example of an insider threat caused by a privileged user:
|Type of incident||Cloud misconfiguration by a system administrator|
|In March 2022, a group of cybersecurity enthusiasts notified Pegasus Airlines that 6.5 terabytes of their sensitive data were exposed online. This happened because a system administrator had failed to properly configure the cloud environment that stored these records. The breach could have affected thousands of passengers and crew members. By exposing staff’s PII, the airline breached the Turkish Law on the Protection of Personal Data (LPPD), which can lead to a maximum fine of approximately $183,000.|
Third parties are vendors, subcontractors, business partners, and supply chain entities that have access to your IT systems or data. Third parties may fail to follow your organization’s cybersecurity rules or violate them through malicious actions. Also, hackers can breach a poorly secured third-party vendor to get inside your protected perimeter.
An example of a third-party insider risk:
|Type of incident||Data breach at a supplier|
|In February 2022, Toyota halted operations in Japan due to a data breach at their plastic parts supplier, Kojima. As Kojima had access to their manufacturing plants, Toyota had to shut down operations to safeguard their data. Because of this shutdown, the company couldn’t manufacture 13,000 cars, or 5% of their monthly production plan. The breach also impacted some operations of Toyota’s subsidiaries, resulting in reduced production and potentially affecting their bottom line. The attack happened right after Japan joined Western allies in imposing sanctions on Russia for the invasion of Ukraine, although it is uncertain whether the attack was related.|
Privilege misuse is listed among the top reasons for data breaches in Verizon’s 2022 Data Breach Investigations Report. We take a closer look at insider attack vectors in the next section.
Common insider attack vectors in 2022
The groups of insiders we’ve outlined can commit data crimes in numerous ways: online or offline, intentionally or unwittingly.
Verizon’s 2022 Data Breach Investigations Report outlines two common vectors of insider threats:
Privilege misuse means using privileged access in an inappropriate way. Verizon’s 2022 Data Breach Investigations Report says that 78% of all privilege misuse cases are financially motivated. The two most common types of privilege misuse are privilege abuse and data mishandling.
Privilege abuse accounts for up to 80% of all privilege misuse cases and refers to fraudulent or malicious activity with privileged access rights. Data mishandling accounts for up to 20% of privilege misuse incidents and involves insiders handling sensitive data carelessly. Unlike privilege abuse, data mishandling incidents don’t usually have malicious intent behind them.
Miscellaneous errors are committed unintentionally by internal actors according to the Verizon 2022 Data Breach Investigations Report. Top insider groups that commit such errors are usually privileged users (system administrators and developers) and other end users. Their top errors are:
Main reasons for insider threat incidents
Let’s now consider a slightly different classification of insider threats by root cause. The 2022 Cost of Insider Threats Global Report by the Ponemon Institute outlines the following causes of insider threat incidents:
Credential theft is one of the most common ways to get inside an organization’s protected perimeter. Using legitimate credentials, hackers can operate undetected inside a system for quite some time. To obtain user logins and passwords, perpetrators use social engineering, brute forcing, credential stuffing, and other attack vectors.
Criminal and malicious insiders
Criminal and malicious insiders pose a significant threat, as they know your organization’s cybersecurity measures and sensitive data. Leveraging this knowledge, they may steal or leak data, sabotage operations, or provide external attackers with access to your resources.
Employee or contractor negligence
Employee or contractor negligence causes most insider threat security incidents, but the results of such incidents generally cost the least to mitigate. Examples of human error are sending sensitive data to the wrong recipient, misconfiguring an environment, and using unsafe work practices.
Factors contributing to new insider threat risks
According to Gartner, the expansion of the attack surface was a cybersecurity trend in 2022. The trend is here to stay, as hybrid office, public cloud, and supply chain risks create new insider threat challenges.
Cloud insider attacks
Cloud insider attacks are those committed by insiders who have gained access to or permanently have access to the cloud environment. According to the 2023 Insider Threat Report by Cybersecurity Insiders, 53% of cybersecurity professionals believe that detecting insider attacks is harder in the cloud than in an on-premises environment.
Supply chain attacks
Supply chain attacks target vulnerabilities in a company’s third-party suppliers or partners to gain unauthorized access to the company’s systems or data. Gartner predicts that software supply chain attacks will afflict 45% of organizations by 2025, which is a threefold increase from the number recorded in 2021.
Hybrid office environments
The hybrid office environment is yet another factor gaining traction. In a hybrid office environment, employees combine remote work with on-site work in the office. According to the 2023 Insider Threat Report by Cybersecurity Insiders, 68% of respondents are concerned about insider risks as their organizations return to the office or transition to hybrid work.
Insider threats are becoming more frequent
The percentage of insider threats keeps rising. Despite evolving insider risk management capabilities, 74% of organizations surveyed for the 2023 Insider Threat Report by Cybersecurity Insiders say there’s a rise in insider threats.
The 2022 Cost of Insider Threats Global Report by the Ponemon Institute confirms that insider threats caused by three key threat actors have become more frequent:
Now, let’s see how the rising frequency of insider threat data breaches influences the cost and time needed for response and remediation.
The cost of insider threats keeps rising
82% of organizations surveyed for the 2021 Insider Threat Report by Cybersecurity Insiders couldn’t determine the actual damage that an insider attack caused. Quantifying the impact of an insider attack is challenging, since there are different types of damage and the outcomes of an attack are frequently non-linear and unclear.
The total cost of an insider threat includes three components:
These costs keep rising each year.
The Ponemon Institute conducted three studies on the cost of insider threats: in 2018, 2020, and 2022. According to these studies, the total average cost of insider threats increased by 76% between 2018 and 2022.
Companies from North America suffer the most from insider attacks and their consequences: the average cost in this region increased from $11.1 million to $17.53 million in four years.
The average total spending on a single insider threat incident also went up 85% between 2016 and 2022. Mitigating insider threats involves spending on monitoring, investigation, escalation, incident response, containment, ex-post analysis, and remediation.
To prevent the devastating consequences of these insider threat trends, you need to detect threats posed by employees in a timely manner — but that’s not as easy as it seems.
Detecting and preventing insider attacks takes time
The longer an insider incident goes undetected, the harsher the consequences. Some breaches may go undetected for months or even years.
Detecting activity of malicious insiders is challenging, as they know exactly where sensitive data is stored and which cybersecurity solutions are implemented. Detecting unintentional insiders is also challenging, as it involves tracking all actions of all users in your organization.
It takes 85 days on average to detect and contain an insider threat incident, according to the 2022 Cost of Insider Threats Global Report by the Ponemon Institute. Only 12% of insider-related incidents are contained in fewer than 31 days.
Around half of respondents to a 2021 survey by the Ponemon Institute said that detecting and preventing an impending attack by a malicious insider was very difficult at each stage of intrusion:
Let’s find out what strategy you can use to detect and prevent dangerous insider activity and handle insider risks.
What is the best strategy for protecting against insider threats?
Increasing insider risks necessitate the use of advanced procedural and technological insider threat protection measures.
Tools companies use for detecting and preventing insider fraud, data theft by employees, and other threats are based on unified visibility, meaning that all user activity can be seen from one place. The majority of surveyed organizations in the 2021 Insider Threat Report by Cybersecurity Insiders considered unified visibility to be important.
With so many cybersecurity tools on the market, it’s hard to focus on a particular line of defense and choose the insider threat management software that delivers the best result with the minimum effort.
Privileged access management (PAM), user and entity behavior analytics (UEBA), and data loss prevention (DLP) are the top three technologies for preventing insider threats according to the 2022 Cost of Insider Threats Global Report.
Ekran System is an all-in-one insider risk management solution that uses most of these methods to efficiently detect and prevent insider threats within your organization:
- Privileged access management (PAM) capabilities of Ekran System allow you to secure and granularly control access for all users in your organization. The PAM functionality in Ekran System is enhanced with access request and approval procedures, two-factor authentication (2FA), password management, and other functionalities.
- User activity monitoring (UAM) capabilities of Ekran System allow you to monitor and record user activity across all of your organization’s endpoints, enabling you to increase visibility, detect insider threats, and gather cybersecurity evidence. Ekran System supports monitoring on various platforms including Windows, Linux, and macOS.
- Incident detection and response functionality in Ekran System offers real-time alerting that allows your security officers to quickly detect and respond to insider threats. You can also configure the system to respond to threats automatically. On top of rule-based alerting, Ekran System has an AI-based UEBA module that helps you detect insider threats by comparing users’ activity to their baseline behavior.
Ekran System also offers robust reporting, investigation, and data anonymization capabilities that can help you comply with the requirements of popular cybersecurity laws, standards, and regulations. For better usability, you can integrate Ekran System into your organization’s existing SIEM system.
We’ve analyzed the most informative and comprehensive studies with insider threat statistics to provide you with relevant insights and give you an idea of what adjustments your organization’s cybersecurity needs. Our key findings in insider threat analytics show that:
- The frequency of, cost of, and time for detecting and preventing insider attacks keep rising.
- The main insider threat actors are the same as always, affecting corporate security either knowingly or unintentionally.
- Security teams face new challenges with expanding attack surfaces, growing hybrid office environments, and increasing reliance on cloud services.
- New insider threat challenges require applying sophisticated new technological solutions.
Implementing comprehensive insider threat software such as Ekran System can help your organization secure sensitive data from malicious and inadvertent insiders.
Check out our demo to see how Ekran System can benefit your organization’s cybersecurity today!