(Updated 01/29/2021)
Since the publishing of new research from the Ponemon Institute in February, 2020 Cost of Insider Threats: Global Report, we have seen the world rapidly shift toward a remote work paradigm that is impacting cybersecurity priorities. In particular, this change in how we work is impacting the way security teams think about insider threats. Further analysis of the findings in this report can help teams build a cohesive insider threat strategy that properly balances people, process, and technology.
In this piece, we unpack five key findings and provide an interactive graphical analysis illustrating some of the interesting correlations to consider.
The Frequency of Insider Threats Drives Costs Up
While the correlation is obvious (i.e. more data breaches = higher costs), there are several factors worth exploring in detail. For example, in a February 2020 webinar with the report authors, we discussed the relationship between frequency, complexity, and costs. As organisations invest in detection technologies that provide alerts of potential insider risk, the volume of data and number of alerts can create massive workload and complexity for IT operations and investigations teams – which creates a resource drag and causes inefficiency.
Takeaway: Cybersecurity teams need to employ insider threat technologies that provide critical contextual information to enable rapid decision making and a better signal to noise ratio.
Not all Insider Threats are Malicious
The majority of insider-led breaches are caused by user negligence, not malicious actions. The second most common cause is credential theft, i.e. compromised usernames and passwords. As organisations adapt to the cybersecurity reality where people are the new perimeter, it is critical that organisations think about new strategies for protecting data and critical infrastructure. It’s not just about keeping bad guys out; it’s also about keeping the good guys good, whether that means preventing credential theft or providing better proactive user education around security best practices.
Takeaway: Consider the importance of endpoint visibility and the detection of risky behaviours that may indicate negligence or stolen credentials.
Threat Detection and Investigation are Leading Investment
The top insider threat investment categories are related to detection and investigations. These two areas are clearly correlated; as investment in detection capability increases, the number of identified breaches increases, driving up necessary spend on investigations.
Takeaway: It’s critical to increase the efficiency of insider threat investigations. Identifying more potential breaches without having the bandwidth to investigate and resolve will only impede success.
Time is Not on Our Side
Related to the previous point, we see the average time to investigate an insider breach has increased to 77 days. This lag can result in enormous potential for cost increases, as insider threats have more time to do damage. It also inevitably leads to cases not getting the full attention warranted. Finally, the length of time it takes to complete an investigation also contributes to the growing complexity of insider threat programs, since so many activities must successfully run in parallel to complete these investigations.
Takeaway: Once again, Insider Threat Management solutions need to reduce complexity by organising contextual data so that decisions can made quickly and information can be shared with all members of an investigations team including HR, Compliance, Legal, and line of business managers.
All Organisations are Unique
Insider threats are an issue for organisations of any size and in any industry. While bigger organisations mean more employees and higher risk, smaller organisations actually see a consistent cost per employee as compared to larger companies. However, there is complexity that comes with managing bigger programs at larger organisations. This is only compounded by the added complexity of geographically dispersed workforces. Industry is also a factor when it comes to cost, with those companies managing protected data (e.g. PCI and PII) seeing higher insider threat costs.
Takeaway: Look to peer companies (similar in size, industry, and risk profile) and study how they successfully manage insider threats and protect data.
Parting Words
As companies begin planning how to build a technology-enabled Insider Threat Management program, this research from Ponemon can serve as a guide for how to prioritise investments and justify the ROI on new programs, headcount, and solutions that decrease organisational risk by addressing Insider Threats head-on.