The average annual cost of insider risk incidents increased to $16.2 million per organization in 2023, up from $15.4 million in 2022, according to the latest report from DTEX and the Ponemon Institute. Cost of internal risks report. This represents an increase of 40% over four years.
The study also found that the number of internal incidents increased from 6,803 to 7,343 last year.
The average number of days needed to contain an incident remained similar in 2023 compared to 2022, 86 days versus 85 days. Containment and remediation represent the most costly centers of activity, at $179,209 and $125,221 per incident, respectively.
Unsurprisingly, costs for businesses increase significantly the longer it takes to respond to an internal incident, with Ponemon and DTEX finding that organizations that took more than 91 days to contain such incidents face costs annual revenues exceeding $18.33 million.
Malicious and non-malicious insiders
The study identified two categories of internal risk actors. Non-malicious insiders do not seek to cause harm, but do so through negligence, mistakes, or by allowing themselves to be deceived by a malicious actor.
In contrast, a malicious insider seeks to ignore damage, undertaking activities such as intellectual property theft, unauthorized disclosure, sabotage, and fraud.
According to report, which surveyed 1,075 security and IT professionals, non-malicious insiders accounted for 75% of incidents. These were either negligence or errors (55%), which cost an average of $505,113. or being duped by an external actor (20%).
Although malicious insider threats accounted for only a quarter of incidents, the response was significantly more expensive, costing businesses an average of $701,500 per incident.
Investing in internal risk management
Despite the significant threat posed by insider risks, 88% of organizations surveyed spent less than 10% of their IT security budget on this area, an average of 8.2%. The rest of the budget was devoted to external threats.
In fact, only 6% of organizations said IT security was responsible for managing internal risks, and the department most often responsible was the legal department (34%).
Encouragingly, security professionals appear to be aware of this imbalance: 58% of respondents believe current levels of insider threat management are inadequate, and almost half (46%) of organizations plan to increase their investments in internal risk management programs in 2024.
More than three-quarters (77%) revealed they have launched or are considering launching an internal risk management program.
Additionally, nearly two-thirds (64%) of respondents said they view AI and machine learning technologies as essential or very important in proactively detecting insider threats.
Rajan Koo, CTO of DTEX Systems, commented: “We are encouraged that organizations are considering increasing their investments in internal risk programs, as this is required by customers and new industry regulations – and not only because of previous incidents. This is a significant change that signals long overdue attention and prioritization.