Skip to main content

Request SaaS Deployment

Contact Sales


Insider Threat Statistics for 2023: Reports, Facts, Actors, and Costs


Keeping up to date with the latest statistics on insider threats is critical for your organization to be proactive and mitigate potential risks.

This post outlines key findings from industry experts and shows recent insider threat facts and examples to help you better understand the risks and adjust your cybersecurity measures.

Research on insider threat statistics

We’ve selected insider threat cybersecurity statistics from some of the most credible reports that provide key information on insider threats, the techniques and methods behind them, and the cost of their remediation:

Insider threat reports considered

Top 3 insider threat actors and incidents from 2022

Any company can have a malicious insider.

The 2023 Insider Threat Report by Cybersecurity Insiders states that 74% of organizations are at least moderately vulnerable to insider threats. And that’s understandable — in 2022, we saw lots of malicious insider attacks and leaks caused by user negligence.

Companies continue to suffer from insider threats coming from these types of actors:

Top 3 insider threat actors

Regular employees

Regular employees have limited capabilities compared to privileged users, but they can still harm your organization. For instance, they can misuse corporate data, install unauthorized applications, send confidential emails to the wrong address, or become the victim of a social engineering attack.

An example of an insider attack by a regular employee:

Affected companyYahoo logo
Type of incidentData theft by a departing employee
  • 570,000 files containing intellectual property (IP) stolen
  • Potential loss of advantage over competitors
In May 2022, Yahoo’s senior research scientist Qian Sang stole confidential information about Yahoo’s AdLearn product. The compromised data included 570,000 files containing source code, backend architecture information, secret algorithms, and other intellectual property. Sang downloaded this data to his personal storage devices minutes after receiving a job offer from one of Yahoo’s competitors. After discovering the incident, Yahoo has since filed three charges against Sang, including for IP data theft, asserting that his actions exposed the company’s trade secrets, giving competitors a significant edge.

Privileged users

Privileged users are administrators, C-level executives, and others with a high level of access privileges. Privileged users hold the keys to your organization’s critical infrastructure and sensitive data, which is why they can deal great insider threat damage to your organization.

An example of an insider threat caused by a privileged user:

Affected companyPegasus Airlines logo
Type of incidentCloud misconfiguration by a system administrator
  • 23,000,000 sensitive files exposed: flight data, personally identifiable information (PII), source code from Electronic Flight Bag (EFB) software
  • Safety of passengers and crew members compromised
  • Breached Turkish Law on the Protection of Personal Data
In March 2022, a group of cybersecurity enthusiasts notified Pegasus Airlines that 6.5 terabytes of their sensitive data were exposed online. This happened because a system administrator had failed to properly configure the cloud environment that stored these records. The breach could have affected thousands of passengers and crew members. By exposing staff’s PII, the airline breached the Turkish Law on the Protection of Personal Data (LPPD), which can lead to a maximum fine of approximately $183,000.

Third parties

Third parties are vendors, subcontractors, business partners, and supply chain entities that have access to your IT systems or data. Third parties may fail to follow your organization’s cybersecurity rules or violate them through malicious actions. Also, hackers can breach a poorly secured third-party vendor to get inside your protected perimeter.

An example of a third-party insider risk:

Affected companyToyota logo
Type of incidentData breach at a supplier
  • Disruption of operations
  • Production deficit equal to 13,000 cars
In February 2022, Toyota halted operations in Japan due to a data breach at their plastic parts supplier, Kojima. As Kojima had access to their manufacturing plants, Toyota had to shut down operations to safeguard their data. Because of this shutdown, the company couldn’t manufacture 13,000 cars, or 5% of their monthly production plan. The breach also impacted some operations of Toyota’s subsidiaries, resulting in reduced production and potentially affecting their bottom line. The attack happened right after Japan joined Western allies in imposing sanctions on Russia for the invasion of Ukraine, although it is uncertain whether the attack was related.

Privilege misuse is listed among the top reasons for data breaches in Verizon’s 2022 Data Breach Investigations Report. We take a closer look at insider attack vectors in the next section.

7 Key Measures of an Insider Threat Program for the Manufacturing Industry

Common insider attack vectors in 2022

The groups of insiders we’ve outlined can commit data crimes in numerous ways: online or offline, intentionally or unwittingly.

Verizon’s 2022 Data Breach Investigations Report outlines two common vectors of insider threats:

Common insider threat vectors

Privilege misuse

Privilege misuse means using privileged access in an inappropriate way. Verizon’s 2022 Data Breach Investigations Report says that 78% of all privilege misuse cases are financially motivated. The two most common types of privilege misuse are privilege abuse and data mishandling.

Privilege abuse accounts for up to 80% of all privilege misuse cases and refers to fraudulent or malicious activity with privileged access rights. Data mishandling accounts for up to 20% of privilege misuse incidents and involves insiders handling sensitive data carelessly. Unlike privilege abuse, data mishandling incidents don’t usually have malicious intent behind them.

Top actions in privilege misuse breaches

Miscellaneous errors

Miscellaneous errors are committed unintentionally by internal actors according to the Verizon 2022 Data Breach Investigations Report. Top insider groups that commit such errors are usually privileged users (system administrators and developers) and other end users. Their top errors are:

Top miscellaneous errors

4 Ways to Detect and Prevent Data Misuse

Main reasons for insider threat incidents

Let’s now consider a slightly different classification of insider threats by root cause. The 2022 Cost of Insider Threats Global Report by the Ponemon Institute outlines the following causes of insider threat incidents:

Top causes of insider threat incidents

Credential theft

Credential theft is one of the most common ways to get inside an organization’s protected perimeter. Using legitimate credentials, hackers can operate undetected inside a system for quite some time. To obtain user logins and passwords, perpetrators use social engineering, brute forcing, credential stuffing, and other attack vectors.

Criminal and malicious insiders

Criminal and malicious insiders pose a significant threat, as they know your organization’s cybersecurity measures and sensitive data. Leveraging this knowledge, they may steal or leak data, sabotage operations, or provide external attackers with access to your resources.

Employee or contractor negligence

Employee or contractor negligence causes most insider threat security incidents, but the results of such incidents generally cost the least to mitigate. Examples of human error are sending sensitive data to the wrong recipient, misconfiguring an environment, and using unsafe work practices.

Roadmap to CISO Effectiveness

Factors contributing to new insider threat risks

According to Gartner, the expansion of the attack surface was a cybersecurity trend in 2022. The trend is here to stay, as hybrid office, public cloud, and supply chain risks create new insider threat challenges.

Factors contributing to new insider threat risks

Cloud insider attacks

Cloud insider attacks are those committed by insiders who have gained access to or permanently have access to the cloud environment. According to the 2023 Insider Threat Report by Cybersecurity Insiders, 53% of cybersecurity professionals believe that detecting insider attacks is harder in the cloud than in an on-premises environment.

Supply chain attacks

Supply chain attacks target vulnerabilities in a company’s third-party suppliers or partners to gain unauthorized access to the company’s systems or data. Gartner predicts that software supply chain attacks will afflict 45% of organizations by 2025, which is a threefold increase from the number recorded in 2021.

Hybrid office environments

The hybrid office environment is yet another factor gaining traction. In a hybrid office environment, employees combine remote work with on-site work in the office. According to the 2023 Insider Threat Report by Cybersecurity Insiders, 68% of respondents are concerned about insider risks as their organizations return to the office or transition to hybrid work.

Major Supply Chain Cybersecurity Concerns and 7 Best Practices to Address Them

Insider threats are becoming more frequent

The percentage of insider threats keeps rising. Despite evolving insider risk management capabilities, 74% of organizations surveyed for the 2023 Insider Threat Report by Cybersecurity Insiders say there’s a rise in insider threats.

Percentage of companies that have 21 to 40 insider threat incidents per year

The 2022 Cost of Insider Threats Global Report by the Ponemon Institute confirms that insider threats caused by three key threat actors have become more frequent:

Average number of insider incidents by profile

Now, let’s see how the rising frequency of insider threat data breaches influences the cost and time needed for response and remediation.

10 Must-Have Information Security Policies for Every Organization

The cost of insider threats keeps rising

82% of organizations surveyed for the 2021 Insider Threat Report by Cybersecurity Insiders couldn’t determine the actual damage that an insider attack caused. Quantifying the impact of an insider attack is challenging, since there are different types of damage and the outcomes of an attack are frequently non-linear and unclear.

The total cost of an insider threat includes three components:

Components of the total cost of an insider threat

These costs keep rising each year.

The Ponemon Institute conducted three studies on the cost of insider threats: in 2018, 2020, and 2022. According to these studies, the total average cost of insider threats increased by 76% between 2018 and 2022.

Total average cost of insider threat incidents

Companies from North America suffer the most from insider attacks and their consequences: the average cost in this region increased from $11.1 million to $17.53 million in four years.

The average total spending on a single insider threat incident also went up 85% between 2016 and 2022. Mitigating insider threats involves spending on monitoring, investigation, escalation, incident response, containment, ex-post analysis, and remediation.

Total average cost of a single insider threat incident

To prevent the devastating consequences of these insider threat trends, you need to detect threats posed by employees in a timely manner — but that’s not as easy as it seems.

How to Calculate the Cost of a Data Breach

Detecting and preventing insider attacks takes time

The longer an insider incident goes undetected, the harsher the consequences. Some breaches may go undetected for months or even years.

Detecting activity of malicious insiders is challenging, as they know exactly where sensitive data is stored and which cybersecurity solutions are implemented. Detecting unintentional insiders is also challenging, as it involves tracking all actions of all users in your organization.

It takes 85 days on average to detect and contain an insider threat incident, according to the 2022 Cost of Insider Threats Global Report by the Ponemon Institute. Only 12% of insider-related incidents are contained in fewer than 31 days.

Time to detect and contain an insider incident

Around half of respondents to a 2021 survey by the Ponemon Institute said that detecting and preventing an impending attack by a malicious insider was very difficult at each stage of intrusion:

When is it the most difficult or impossible to detect and prevent an insider attack?

Let’s find out what strategy you can use to detect and prevent dangerous insider activity and handle insider risks.

12 Cybersecurity Best Practices to Prevent Cyber Attacks in 2023

What is the best strategy for protecting against insider threats?

Increasing insider risks necessitate the use of advanced procedural and technological insider threat protection measures.

Gartner predicts that half of medium and large enterprises will adopt formal insider threat programs by 2025, up from 10% today.

Whitepaper on insider threat program

Tools companies use for detecting and preventing insider fraud, data theft by employees, and other threats are based on unified visibility, meaning that all user activity can be seen from one place. The majority of surveyed organizations in the 2021 Insider Threat Report by Cybersecurity Insiders considered unified visibility to be important.

85% of organization consider unified visibility important.

With so many cybersecurity tools on the market, it’s hard to focus on a particular line of defense and choose the insider threat management software that delivers the best result with the minimum effort.

Privileged access management (PAM), user and entity behavior analytics (UEBA), and data loss prevention (DLP) are the top three technologies for preventing insider threats according to the 2022 Cost of Insider Threats Global Report.

Tools and activities for reducing insider risks

Ekran System is an all-in-one insider risk management solution that uses most of these methods to efficiently detect and prevent insider threats within your organization:

  • Privileged access management (PAM) capabilities of Ekran System allow you to secure and granularly control access for all users in your organization. The PAM functionality in Ekran System is enhanced with access request and approval procedures, two-factor authentication (2FA), password management, and other functionalities.
  • User activity monitoring (UAM) capabilities of Ekran System allow you to monitor and record user activity across all of your organization’s endpoints, enabling you to increase visibility, detect insider threats, and gather cybersecurity evidence. Ekran System supports monitoring on various platforms including Windows, Linux, and macOS.
  • Incident detection and response functionality in Ekran System offers real-time alerting that allows your security officers to quickly detect and respond to insider threats. You can also configure the system to respond to threats automatically. On top of rule-based alerting, Ekran System has an AI-based UEBA module that helps you detect insider threats by comparing users’ activity to their baseline behavior.

Ekran System also offers robust reporting, investigation, and data anonymization capabilities that can help you comply with the requirements of popular cybersecurity laws, standards, and regulations. For better usability, you can integrate Ekran System into your organization’s existing SIEM system.

PECB Inc. Deploys Ekran System to Manage Insider Threats [PDF]


We’ve analyzed the most informative and comprehensive studies with insider threat statistics to provide you with relevant insights and give you an idea of what adjustments your organization’s cybersecurity needs. Our key findings in insider threat analytics show that:

  • The frequency of, cost of, and time for detecting and preventing insider attacks keep rising.
  • The main insider threat actors are the same as always, affecting corporate security either knowingly or unintentionally.
  • Security teams face new challenges with expanding attack surfaces, growing hybrid office environments, and increasing reliance on cloud services.
  • New insider threat challenges require applying sophisticated new technological solutions.

Implementing comprehensive insider threat software such as Ekran System can help your organization secure sensitive data from malicious and inadvertent insiders.

Check out our demo to see how Ekran System can benefit your organization’s cybersecurity today!



See how Ekran System can enhance your data protection from insider risks.