Skip to main content

Request SaaS Deployment

Contact Sales


Insider Threat Statistics for 2024: Reports, Facts, Actors, and Costs


Keeping up to date with the latest statistics on insider threats is critical for any organization that wants to be proactive in reducing potential risks. Being aware of current insider risks enables you to take the appropriate measures to mitigate them.

This article outlines key facts endorsed by industry experts, discusses the findings revealed by insider threat research, and shows examples of damaging insider incidents. Keep reading so you can make informed decisions when creating or modifying your insider threat program.

Research on insider threat statistics

To provide you with the most relevant information and facts, we’ve referenced the most credible insider risk reports:

Insider risk research reports


Cost of Insider Risk Global Report by Ponemon Institute


Insider Threat Report by Cybersecurity Insiders


Cost of a Data Breach Report  by IBM Security


Data Breach Investigations Report by Verizon

These insider risk research reports provide key information on insider threats, the techniques and methods employed by threat actors, and the cost of remediation.

Top 3 insider threat actors and incidents from 2023

Any company can have a malicious insider.

The Insider Threat Report 2023 by Cybersecurity Insiders states that 74% of organizations are at least moderately vulnerable to insider threats. And that’s understandable — in 2022, lots of malicious insider attacks and leaks were caused by user negligence.

Companies continue to suffer from insider threats coming from these types of actors:

most common insider threat actors according to the 2024 insider threat report

Regular employees

Regular employees have limited capabilities compared to privileged users, but they can still harm your organization. For instance, they can misuse corporate data, install unauthorized applications, send confidential emails to the wrong address, or become the victim of a social engineering attack.

Thus, phishing and compromised credentials were the two most common initial attack vectors in data breaches, according to the 2023 Cost of a Data Breach Report by IBM Security.

An example of an insider attack by a regular employee:

Affected entity

Incident type

Social engineering attack


  • More than 36 hours of IT downtime
  • Nearly $10 million in one-time expenses
  • An estimated $100 million loss on adjusted property earnings before interest, taxes, depreciation, amortization, and rent
  • Reputational damage

In September 2023, a cybercriminal group called Scattered Spider conducted a successful social engineering attack targeting an employee of MGM Resorts International. By analyzing the employee’s account on LinkedIn and impersonating them on a call to the help desk, malicious actors managed to gain access to the organization’s network.

As the attack progressed, hackers gained super administrator privileges to MGM’s Okta, obtained Global Administrator privileges to their Azure tenant, launched ransomware attacks, and exfiltrated data.

To prevent further unauthorized access and data exfiltration, the organization had to shut down certain services. As a result, many customers were unable to enter their hotel rooms, use the elevators, or operate gaming kiosks and consoles in the organization’s facilities. Disruptions led to huge operational, financial, and reputational losses.

Third parties

Third parties are vendors, subcontractors, business partners, and supply chain entities that have access to your IT systems or data. Third parties may fail to follow your organization’s cybersecurity rules or violate them through malicious actions. Additionally, hackers can target a poorly secured third-party vendor to get inside your protected perimeter.

The 2023 Cost of a Data Breach Report by IBM Security shows that data breaches resulting from a software supply chain compromise cost 8.3% more and take 8.9% longer to identify and contain than other data breaches.

An example of a third-party insider risk:

Affected entity

Incident type

Zero-day vulnerability exploitation


  • Customers’ sensitive data leaked
  • Reputational losses
  • Potential legal liabilities

In June 2023, Zellis, a payroll provider serving the UK and Ireland, faced a significant data breach due to a zero-day vulnerability attack on its subcontractor. MOVEit, Zellis’s file transfer software, had a critical vulnerability that hackers exploited to gain access to Zellis’s system and steal their customer data.

Among the Zellis customers whose data was compromised were big organizations, including British Airways, the BBC, Shell, and Boots.

Privileged users

Privileged users are administrators, C-level executives, and others with a high level of access privileges. Privileged users hold the keys to your organization’s critical infrastructure and sensitive data, which is why they can pose a major insider threat to your organization.

Privilege misuse is among the top eight patterns found in data breaches, according to Verizon’s 2023 Data Breach Investigations Report.

An example of an insider threat caused by a privileged user:

Affected entity

Incident type

Data exfiltration


  • Leak of classified government and military data 
  • Threat to national security 
  • Risk of losing advantages over adversaries
  • Risk of hindering the relationships with allies

In April 2023, the FBI arrested Jack Teixeira, a member of the Massachusetts Air National Guard, who was implicated in a Pentagon intelligence breach. Teixeira held a Top Secret security clearance and had access to classified US documents.

Over the course of several months, he had been sharing top-secret intelligence with his friends on Discord. The leaked data contained highly sensitive classified information about the US government and military operations as well as critical information about the ongoing war in Ukraine.

Now that we’ve examined some of the major insider-related security incidents of 2023, let’s take a close look at the most common insider attack vectors.

Request access to the online demo!

Discover Ekran System’s diverse capabilities for effective insider risk management.

Common insider attack vectors in 2023

The insider categories we’ve looked at can commit data crimes in numerous ways: online or offline, intentionally or unwittingly.

Verizon’s 2023 Data Breach Investigations Report outlines two common insider threat vectors:

Most common insider threat vectors according to the insider threat report 2024

Privilege misuse

Privilege misuse means using privileged access inappropriately. Verizon’s 2023 Data Breach Investigations Report says that 89% of all privilege misuse cases are financially motivated.

insider threat statistics 2024 on most common motives for privilege misuse

The most common type of privilege misuse is privilege abuse. It accounts for the majority of all privilege misuse cases and refers to fraudulent or malicious activity with privileged access rights.

Miscellaneous errors

Miscellaneous errors are committed unintentionally by internal actors according to the 2023 Data Breach Investigations Report by Verizon. The main insider groups that commit such errors are usually privileged users (developers and system administrators) and other end users. Their top errors are:

insider threat statistics 2024 on most common errors by insiders

Main reasons for insider threat incidents

Let’s now consider a slightly different classification of insider threat incidents: the root causes. The 2023 Cost of Insider Risk Global Report by Ponemon Institute outlines the following causes of insider threat incidents:

2024 insider threat report on top most common causes of insider-driven security incidents

Credential theft

Credential theft is one of the most common ways external attackers use to get inside an organization’s protected perimeter. Using legitimate credentials, perpetrators can operate undetected inside a system for quite some time. To obtain user logins and passwords, perpetrators use social engineering, brute force attacks, credential stuffing, and other attack vectors.

Malicious intent

Insiders with malicious intent are harder to detect than external attackers or hackers, as they know your organization’s cybersecurity measures and sensitive data. Leveraging this knowledge, they may steal or leak data, sabotage operations, or provide external attackers with access to your resources. Security incidents involving malicious insiders cost organizations the most.

Employee or contractor negligence

Insider negligence causes most insider risk security incidents, emphasizing the need for user activity monitoring. Examples of human error are sending sensitive data to the wrong recipient, misconfiguring an environment, and unsafe work practices.

Factors contributing to the complexity of detecting and preventing insider threats

According to the 2023 Insider Threat Report by Cybersecurity Insiders, there are three most common factors that make timely detection of insider-driven attacks particularly difficult for cybersecurity teams:

Insiders’ legitimate access to an organization’s apps, network, and services

Insiders already have legitimate access to your network, holding a distinct advantage over external attackers. While an external hacker requires time to infiltrate your organization, insiders possess open access to the network areas they work in. That’s why traditional security measures, such as firewalls, don’t work against insider threats.

Wide use of SaaS apps that can leak data (e.g. email, cloud services, social media)

The use of SaaS in an organization makes it difficult for cybersecurity teams to monitor and control access to sensitive data. Insiders can access SaaS from anywhere, anytime. SaaS is also challenging to integrate with security tools, which may lead to gaps in your network security.

Increased use of personal devices for accessing corporate resources

Personal devices that employees use for work often don’t have proper security and monitoring tools installed. Moreover, devices located beyond your organization’s security perimeter pose a significant challenge to the timely detection and mitigation of security incidents.

Insider threats are becoming more frequent

The percentage of insider threats keeps rising. The 2023 Cost of Insider Risk Global Report by Ponemon Institute shows that the share of organizations facing 21 to 40 insider threat incidents per year has grown in recent years.

How many companies face 21 to 40 insider incident per year

Insider threat incidents caused by each of the three key threat actors have become more frequent as well:

2024 insider threat report on average number of insider incidents by profile

Let’s now take a look at how the rise in frequency of insider threat data breaches has influenced the time and cost of response and remediation.

Explore the power of Ekran System now!

Experience the benefits of using Ekran System for insider threat prevention and detection.

The cost of insider threats keeps rising

Quantifying the impact of an insider attack is challenging, since there are different types of damage and the outcomes of an attack may be non-linear and unclear. The total cost of an insider threat incident includes the direct cost of the data breach, indirect costs, and lost opportunity costs.

Components of the total cost of an insider threat incident

Direct costs

Money needed to detect, mitigate, investigate, and remediate the breach

Indirect costs

The value of resources and employee time spent dealing with the incident

Lost opportunity costs

Potential profit losses due to the attack

These costs keep rising each year.

According to the 2023 Cost of Insider Risks Global Report by Ponemon Institute, the total average cost of insider threat incidents increased by nearly 95% between 2018 and 2023.

cost of insider threat report 2024

Companies from North America suffer the most from insider attacks and their consequences; the average cost in this region increased from $11.1 million to $19.09 million in five years.

The average total spending on a single insider threat incident also went up 80% between 2016 and 2023. Mitigating insider threats involves spending on monitoring and surveillance, investigation, escalation, incident response, containment, ex-post analysis, and remediation.

growth of the insider threat cost report 2024

To prevent the devastating consequences of these trends, you need to detect threats posed by employees in a timely manner — but that’s not as easy as it seems.

Detecting and preventing insider attacks takes time

The longer an insider incident goes undetected, the harsher the consequences. Some breaches may go undetected for months or even years.

Detecting the activity of malicious insiders is challenging, as they know exactly where sensitive data is stored and which cybersecurity solutions are implemented. Spotting unintentional insiders is also tricky, as it involves tracking the actions of all users in your organization.

It takes 86 days on average to detect and contain an insider threat incident, according to the 2023 Cost of Insider Risks Global Report by Ponemon Institute. Only 13% of insider-related incidents are contained in less than 31 days.

time to detect insider threat statistics 2024

The 2023 Cost of Insider Risks Global Report by Ponemon Institute also shows that the longer it takes the organization to respond to a security incident, the higher its cost. The average yearly cost of insider threat incidents taking over 91 days to detect is $18.33 million.

Let’s now explore some strategies you can use to detect and prevent dangerous insider activity and handle insider risks.

What is the best strategy for protecting against insider threats?

The increase in insider risk necessitates the use of advanced procedural and technological insider threat protection measures.

Gartner predicts that half of all medium and large enterprises will adopt formal insider threat programs by 2025, up from 10% in 2023. According to the 2023 Cost of Insider Risks Global Report by Ponemon Institute, 77% of organizations have started or are planning to start an insider risk program.

Whitepaper on insider threat program

With so many cybersecurity tools on the market, it’s hard to narrow it down to a particular line of defense and choose the insider threat management software that delivers the best result with the minimum effort.

User training and awareness, data loss prevention (DLP), security and event management (SIEM), privileged access management (PAM), and user behavior analytics (UBA) are the top five tools and activities for managing insider risks according to the 2023 Cost of Insider Risks Global Report by Ponemon Institute.

Most common means for detection of insider threat report 2024

Ekran System is an all-in-one insider risk management platform that covers most of these methods to help you efficiently detect and prevent insider threats within your organization:

  • Privileged access management (PAM) features allow you to secure and granularly control access for all users in your organization. The PAM functionality in Ekran System is enhanced with access request and approval procedures, two-factor authentication (2FA), password management, and other capabilities.
  • User activity monitoring (UAM) capabilities let you monitor and record user activity across all of your organization’s endpoints, enabling you to increase visibility, detect insider threats, and gather cybersecurity evidence. Ekran System supports monitoring on various platforms including Windows, Linux, and macOS.
  • Incident detection and response functionalities provide real-time alerts that allow your security officers to quickly detect and respond to insider threats. You can also configure the system to respond to threats automatically. On top of its rule-based alert functionality, Ekran System has an AI-based UEBA module that helps you detect insider threats by comparing a user’s activity to their baseline behavior.

Ekran System also offers robust reporting, investigation, and data anonymization capabilities that can help you comply with the requirements of popular cybersecurity laws, standards, and regulations in your area and industry. For better usability, you can integrate Ekran System with your organization’s existing SIEM system.


In this article we’ve examined the most informative and comprehensive studies of insider threat statistics to provide you with relevant insights and give you an idea of what adjustments your organization’s cybersecurity needs. The main takeaways from these insider threat analyses show that:

  • The frequency, cost, and time for detecting and preventing insider attacks are still rising.
  • The main insider threat actors remain the same, affecting corporate security either intentionally or unintentionally.
  • Security teams struggle with managing insider risks due to insiders’ legitimate access to an organization’s resources, wide use of SaaS apps, and increased use of personal devices.
  • New insider threat challenges require applying sophisticated new technological solutions.

Implementing comprehensive insider threat software such as Ekran System can help your organization secure sensitive data from malicious and inadvertent insiders.

Want to try Ekran
System? Request access
to the online demo!

See why clients from 70+ countries already use Ekran System.



See how Ekran System can enhance your data protection from insider risks.