Over the recent years, we have witnessed a steady increase in cyber incidents. Often, most companies overlook the impact that insider threats could have on their profitability. With cybercriminals and other ill-driven individuals developing new ways to further their agendas, there has been a rise in cyberattacks globally.
This article highlights insider threat statistics and prove that these incidents can emanate from suppliers, employees, contractors, and other trusted individuals.
The top 10 insider threats statistics – Quick list
- Over the past two years, insider attacks have spiked by a whopping 47%.
- Negligence accounts for over two-thirds of insider threat incidents.
- Over 55% of companies rank privileged users at the top of their insider threat risk list.
- A staggering 74% of organizations report an increase in insider attacks.
- Approximately 74% of organizations express significant vulnerability to frequent hacker attacks.
- Around 82% of organizations find assessing the actual damage of an insider attack to be challenging.
- Insider threats impact more than 34% of businesses globally annually.
- 70% of organizations express concerns about inevitable data breaches.
- Fraud, personal gains, and sabotage drive insider threats.
- Trusted business partners contribute to 15% to 25% of insider incidents.
What is an insider threat?
An insider threat is a security threat or risk that emerges from within a company. This can be employees, business partners, or contractors with insider knowledge about the organization’s data, security practices, and computer systems.
The threat can be intentional or unintentional and poses a significant risk to the organization’s intellectual property, sensitive data, and overall security. So, insider threats require a comprehensive detection, prevention, and response approach.
Here are the main categories of these threats:
1. Malicious insider
These individuals, often called ‘Turncloaks,’ exploit their credentials with intentions. They are mainly motivated by gain or personal incentives. For example, this can be individuals who hold grudges against employers or opportunistic employees who sell information to competitors. Malicious insiders have the upper hand because they know about an organization’s security policies, procedures, and vulnerabilities.
2. Careless insider
This category consists of unwitting individuals who unintentionally expose the system to threats. It is often a result of mistakes such as leaving a device unprotected or falling victim to a scam. For instance, an employee with no intent might unknowingly click on an insecure link, introducing malware into the system.
3. A mole
Although technically outsiders, these individuals manage to infiltrate a network within an organization by posing as insiders. They can be sources that impersonate employees or partners to gain access.
Key statistics highlighting the severity of insider threats
- US businesses face 2,200 internal security breaches daily.
- Globally, 34% of businesses deal with insider threats annually.
- 66% of organizations prioritize insider attacks over external ones.
- Insider incidents surged by 47% in the last two years.
- In 2022, the cost per insider threat was $15.38 million.
- Over 70% of insider attacks remain unreported externally.
- Trusted business partners account for 15-25% of insider incidents.
- 53% find insider attack detection challenging in the cloud.
Detecting and preventing insider attacks takes time
The consequences of an insider attack become more severe the longer it remains uncontained. Some incidents may even take months or years before they are detected. This is because cybercriminals know exactly what data they are looking for and the solutions that might be implemented to protect the data.
The process becomes even more complicated if it is an unintentional insider. The victim must track all company employees’ actions to know the root cause of the problem.
On average, it takes 85 days to detect and manage an insider threat. However, only 12% of the threats are contained in less than 31 days. The rest usually takes time. For instance, 34% of insider threats take more than 91 days to be contained. Further, 29% take 62 to 91 days, while 25% take 31 to 61 days to address.
5 different phases determine how difficult it is to detect and contain an insider threat. They include:
- Reconnaissance phase (49%)
- Circumvention phase (47%)
- Aggregation phase (53%)
- Obfuscation phase (42%)
- Exfiltration phase (40%)
Top insider threat statistics you must know
1. Insider attacks spiked by a whopping 44% over the past two years
According to a 2022 report by the Ponemon Institute, between 2020 and 2022, insider attacks shot up by 44%. It was a further increase from the previously reported 47% increase in the attack frequency between 2018 and 2020.
What’s fueling this surge? Well, it’s a mixture of things ā the boom in cloud computing, the explosion of mobile device use, and the worldwide takeover of social media platforms. It’s like the perfect storm for insider attacks. So, organizations need to start paying extra close attention to these factors to spot and fend off insider threats effectively.
(Source: Proofprint)
2. Negligence contributes to over two-thirds of insider threat incidents
While insider threats can emanate from ill-driven employees and contractors, the data indicates that a majority stem from simple negligence.
Often, individuals must recognize the need to enhance security measures before sending links from their Dropbox accounts or Google Docs. These documents become indexed by search engines, making them easily accessible to cybercriminals.
To mitigate this risk, employees must understand the importance of encrypting the links they share or adding a layer of security through usernames and passwords.
(Source: Dark reading)
3. Over 53% of companies rank privileged users at the top of their insider threat risk list
Often, administrative data is inadvertently exposed by users. A simple security awareness briefing can help address this issue. Nevertheless, external threats remain a pervasive concern. Companies should consider investing in additional cybersecurity solutions, such as Endpoint Detection and Response tools (EDR) and Multi-Factor Authentication (MFA).
(Source: Business Insider)
4. A staggering 74% of organizations report an increase in insider attacks
Most businesses have heightened vigilance due to the surge in insider threats in the past two years. At the same time, insider attacks may sometimes look like external data breaches, cybersecurity and IT experts have gained a more in-depth understanding of their distinctive characteristics. Tools like EDR security suites now offer businesses a more precise filter for identifying internally originating attacks.
(Source: Gurucul)
5. Approximately 74% of organizations express significant vulnerability to regular hacker attacks
The global rise in cyberattacks by 38% from 2021 to 2022 has exposed organizations. Astonishingly, only 1 in 10 think their existing cybersecurity measures adequately cater to their business needs. This underscores organizations’ need to allocate more resources to their cybersecurity efforts. Additionally, enhancing awareness about cybersecurity among employees through drills, training, and standard operating procedures (SOP) is crucial.
(Source: Gurucul)
6. Around 82% of organizations find assessing the actual damage of an insider attack difficult
Insider attacks can have devastating consequences, including the criminal disclosure of sensitive data and the emergence of dangerous behaviors. Infrastructure Security Agency (CISA) and CyberSecurity have identified various forms of damage that can result from insider attacks, including espionage, corruption, sabotage, resource or capability loss, workplace violence, and terrorism.
(Source: Gurucul)
7. Insider threats impact more than 34% of businesses globally annually
A significant number of businesses experience insider attacks annually. The rise of internal threats can be attributed to employees’ expertise within the company’s system and their exclusive access to confidential data. This creates opportunities for data cybercriminals to carry out the unauthorized extraction of key data.
For instance, 30% of business bankruptcies are attributed to employee theft. To mitigate this risk, companies must elevate security reforms within their environment and among their members.
(Source: Proofpoint)
8. 70% of organizations express concerns about inevitable data breaches
Although negligent employees are responsible for a significant portion of insider threats, businessmen are more anxious about cybersecurity factors extending beyond their reach. In 2023, an IBM study revealed that the global average cost of a data breach escalated to $4.45 million.
Regrettably, there seems to be no end, as bad actors continually acquire new knowledge and skills for their notorious activities.
(Source: IBM)
9. Fraud, sabotage, and personal gains fuel insider threats
A survey by Fortinet unveils that the three primary drivers behind insider threats are IP theft (44%), financial gain (49%), and fraud (55%). Notably, departments like finance (41%), customer access (35%), and research and development (33%) are the most susceptible to these attacks.
Hackers, particularly those with malicious intent, primarily target these departments to achieve financial gain and engage in corporate sabotage, espionage, and the theft of trade secrets.
(Source: Fortinet)
10. Trusted business partners contribute 15% to 25% of insider incidents
The finance and insurance industries (38%) have witnessed the most insider attacks, primarily due to contractor misconduct. External contractors often enjoy the same robust network access privileges as in-house employees, which have been known to be abused.
Insider attacks by trusted business partners result in more significant financial turmoil, as they possess intimate knowledge of a company’s inner workings and top trade secrets. The level of betrayal can also cause emotional and mental stress.
In 2023, a global security trend seeks to address this issue by advocating for increased accountability from third-party vendors.
(Source: CERT Insider Threat Center)
11. Phishing attacks account for 67% of accidental insider threats
In 2021, a staggering 323,972 phishing incidents were documented, reaffirming its status as one of the oldest and most successful methods hackers employ to infiltrate networks. Phishing is a prevalent social engineering technique and a leading cause of insider threats.
These deceptive emails are crafted to deceive users into interacting with a malicious file or completing survey forms containing sensitive information, all to be exploited for personal gain. Employees who inadvertently succumb to phishing attempts unknowingly transmit critical business data to malicious individuals via fraudulent websites.
(Source: Forbes)
12. Emails serve as the source of 94% of malware infections
Malware remains one of the most effective forms of cyberattacks, and its primary propagation avenue is still through email. Most spam emails harbor various types of malware, featuring enticing subject lines and captivating headers to lure recipients into opening and clicking on the email.
(Source: Verizon)
13. Organizations have increased insider threat spending by 60% compared to three years ago
In 2022, over half of organizations encountered at least one internal attack, prompting them to allocate nearly 60% more resources than they did three years ago for recovery efforts. This augmented investment in cybersecurity measures to combat insider threats is primarily attributed to the areas of investigation and detection.
Organizations have specifically earmarked budgets for these critical functions, recognizing that insider threats are equivalent to external threats.
(Source: Proofpoint)
14. Retail and financial services experience the highest costs from insider threats
On average, financial institutions have incurred approximately $21.25 million in expenses related to insider risks, marking a substantial 47% increase from the previous year. Meanwhile, the costs for retail enterprises have surged by 62%, reaching approximately $16.56 million. Hackers frequently target financial institutions such as banks, credit agencies, retail establishments, and e-commerce platforms.
Their primary objectives often involve obtaining people’s payment card information from websites. For example, over 4,800 websites are compromised monthly through formjacking attacks, resulting in the theft of credit card numbers and login credentials.
(Source: Proofpoint)
15. Larger organizations outspend smaller firms by $10.24 million on insider threat cases
Large firms with employees of 75,000 or more have dedicated an average of $22.68 million to address these insider threat incidents. In contrast, smaller organizations with workforces of 500 or fewer have allocated $8.13 million for the same purpose.
It’s important to note that larger companies inherently face more significant data losses, heightened damage potential, and require more extensive resources and manpower compared to their smaller counterparts.
(Source: Proofpoint)
16. Detecting a data breach takes about 277 days
Even with investment in cybersecurity, finding a cyberattack usually takes 207 days and an extra 70 days to contain. Unfortunately, sometimes companies don’t even realize there’s been a breach for months, and by then, the damage has often gotten way worse. Plus, healing from an insider attack can drag on for 6 months or longer, depending on how bad it is.
(Source: IBM)
17. Cybercrime shot up by 38% in 2022
It’s gotten so bad that there’s a hack somewhere in the world every 39 seconds. The top five cyber crimes are identity theft, extortion, non-payment scams, personal data breaches, and phishing attacks. Together, these cyberattacks steal 1% of the global GDP and are expected to cost a mind-blowing $10. 5 trillion yearly by 2025.
Alarmingly, over 60% of cloud security experts said data loss and privacy worries topped their list of concerns in the 2022 Cloud Security Report. This scary trend shows how cybercriminals find new ways to exploit vulnerabilities across different sectors.
(Source: Checkpoint)
18. Incidents involving credential risks cost enterprises an average of $871,000 for every occurrence.
The typical picture that comes to mind when we think of insider threats is frequently one of an angry employee causing devastation. The truth is that some insiders deliberately divulge their login information, whether intentionally or accidentally, due to ignorance, which causes frequent data breaches.
Statistics on insider threats show that stolen credentials are a significant factor in 67% of data breaches. What’s more worrisome is the startling 129% spike in credential leaks year over year. This significant increase highlights the need for thorough cybersecurity training at all workforce levels.
(Source: Proofpoint)
19. Businesses in the United States are grappling with approximately 2,200 internal security breaches daily.
According to 20% of IT experts, insider threats pose a significant concern to security infrastructure. Apparently, only 39% of organizations have set up a worthy cybersecurity team capable of addressing the rise in insider incidents. Usually, the cybersecurity experts in most firms are incapable of assessing cyber threats and putting in place necessary measures to curb the threat.
(Source: IS Decisions)
20. 91.5% of cyber-attacks arise from human error.
Human error is the main cause of cyber threats, as reported by IBM in 2019. The study noted that 91.5% of cyber incidents came from human error. This meant that, unlike the mainstream belief that cyberattacks must employ sophisticated methods to be successful, they are often a result of human mistakes. This statistic solidifies that insider threats are mostly a product of an insider with access to critical data.
(Source: Telefonica Tech)
21. Around $172 billion was spent on risk management and information security in 2022.
The Compound Annual Growth Rate (CAGR) grew 12% in 2022. This was after the risk management and information security expenses rose to over $17 billion. The increase in CAGR shows that various factors were in play.
For instance, the increase in the amount of sensitive information held by organizations, the rise in cyber incidents in recent years, and the increased emphasis on firms implementing data protection measures.
(Source: Gartner)
22. Insider threat containment takes up most of the company’s spending.
The average time to stop an insider incident in 2022 was 85 days. Furthermore, an average of $184,548 was spent on addressing data breaches and insider threats. The ex-post analysis was the least expensive phase of dealing with cyber threats, which amounted to $26,563.
In addition, $35,000 was spent on monitoring and surveillance activities. Overall, the total figures for containing an insider threat increased to 114% from 2016. This shows how far cyber threats can go to increase a company’s average spending.
(Source: Proofpoint)
23. The human element is present in more than 85% of data leaks.
According to the Data Breach Investigations Report (DBIR) conducted by Verizon in 2023, it was found that the human element accounted for 85% of data exploitation. This means that in the event of a cyber incident, it is likely that an employee, a business partner, or another third party with key access to the company’s data was somehow connected to the breach.
(Source: Verizon)
24. North America incurs more than $17.53 million on insider threats annually.
Organizations situated in North America were the most affected by insider threats and their impacts. According to Proofpoint, these companies saw their average cost of containing these threats rise from $11.1 million to $17.53 million in a period of 4 years. Similarly, from 2016 to 2022, the average total spending cost shot up to 85%.
Overall, these numbers present notably higher spending than the world’s average of $15.4 million.
(Source: Proofpoint)
25. Hacktivists contribute to more than 5% of insider threats.
Hacktivists make up a significant percentage of insider threats causes. In their 2023 report, Gurucul reported that 5% of all these threats resulted from hacktivists. This group of individuals often deploy DDoS attacks, acquire sensitive data, and release or threaten to release it to the public. The media, tech companies, and the government were among the most targeted groups.
(Source: Gurucul)
26. Weak passwords contributed to more than 23% of data incidents in 2022.
In 2022, Nordpass showed that 23% of all data leaks emanated from weak passwords. According to the report, 52% of its users used similar passwords for multiple accounts. Similarly, 35% of their users were yet to change their passwords.
In addition, the report revealed that the top 5 commonly used passwords globally included “password,” “123456,” “123456789,” “guest,” and “qwerty.” Surprisingly, 4,929,113 of its users had “password” as their password, while “123456” was used by 1,523,537 individuals.
(Source: NordPass)
27. Business rivals contribute 15% of insider threats.
Businesses are always seeking ways to gain a competitive edge over their rivals. This competition may drive some businesses into using unconventional methods, such as launching cyber-attacks.
A report by the Ponemon Institute shows that 15% of insider incidents arise from business competitors. By launching insider attacks, rival firms hope to disrupt the target company’s business activities, steal valuable information, and gain an edge over them.
(Source: Proofpoint)
28. 94% of viruses are a result of infected emails.
Studies show that 94% of viruses are delivered via email. Cybercriminals target individuals by sending malicious emails that infect your device. Verizon’s Data Breach Investigations Report revealed that 21% of data leaks were executed via phishing. The rise in infected emails has been reflected in the overall data breach figures. For instance, in 2022, there was a 10% increase in data incidents, resulting in an average of $4.24 million being used per breach.
(Source: Verizon)
29. Insider threats mostly affect the technology, financial, and healthcare institutions.
With the increasing rate of attacks, it is apparent that some institutions are targeted more than others. Gurucul’s The State of Insider Threat in 2023 report affirms that tech industries, financial institutions, and the healthcare sector are the most affected by cyber incidents.
The report further suggested some approaches to curb insider threats, such as employee training on cyber threats, monitoring employee activity, implementing sufficient security infrastructure, and devising an effective response plan to insider threats.
(Source: Gurucul)
30. Insider threats emanating from third parties will increase in 2023.
Over the last few years, cases of cyber threats have been on an upward trajectory. It is estimated that with the increase in third-party vendors, the number of threats is bound to increase in 2023. Some factors contributing to this increase include the growth of more sophisticated cybercriminals, the high embracement of third-party vendors by firms, and the rise of more complex IT systems.
(Source: Ekransystem)
Insider attacks vectors
Insider attacks can be grouped into two main vectors: Privilege misuse and Miscellaneous errors.
Privilege misuse
Privilege misuse occurs when individuals inappropriately use their privileges to gain access, often motivated by financial interests. In most cases, privilege misuse is in the form of data mishandling and privilege abuse.
Mishandling of sensitive data accounts for about 80%, while privilege abuse accounts for 20% of privilege misuse incidents. The two terms differ in that data mishandling cases do not have malicious intent as opposed to privilege abuse.
Miscellaneous errors
These are unintentional acts by internal individuals. Often, parties that commit those errors usually have access rights to systems. Such individuals include developers, system administrators, and other end users. Most errors committed under this vector include misdelivery (40%), misconfiguration (40%), programming errors, and publishing, among other errors (20%).
Main reasons for insider threat incidents
These are some of the reasons why insider threat incidents occur.
Credential theft
This accounts for 18% of overall insider threat incidents. It is one of the most prevalent methods for breaching an organization’s secure perimeter. By acquiring legitimate credentials, hackers can clandestinely operate within a system for an extended period without detection. Perpetrators employ various tactics such as social engineering, brute force attacks, and credential stuffing to obtain user logins and passwords.
Criminal and malicious insiders
Given their intimate knowledge of your organization’s cybersecurity protocols and sensitive data, this represents a significant menace. Armed with this information, they can engage in actions like data theft, data leakage, operational sabotage, or even facilitate external attackers’ access to your resources.
Employee or contractor negligence
The category of employee or contractor negligence ranks as the primary cause behind most insider threat security incidents. However, the silver lining is that the consequences of these incidents typically entail lower mitigation costs. Instances of human error include mishaps like sending sensitive data to the wrong recipient, misconfiguring system settings, and practicing unsafe work habits.
Factors contributing to new insider threat risks
New insider threat challenges have emerged over the years due to various factors:
Cloud insider attacks
This attack occurs due to access to a company’s cloud services. Unlike physical or on-premises attacks, cloud-based attacks are often harder to detect and deal with.
Supply chain attacks
These types of attacks take place within the supply chain process. In other words, attackers target vulnerabilities within the supply chain by compromising suppliers or gaining unauthorized access to an organization’s data. According to Gartner, supply chain attacks will likely increase by 45% by 2025.
Hybrid office environments
Although new in insider threats, this attack has recently gained attention. Under this factor, subordinates combine in-office and remote work to execute threats. As the workplace transitions to a hybrid environment, most employers are becoming more concerned about this attack.
Cost of insider threats
The cost of insider threats wasn’t directly proportional to the actual damage caused, as reported by most victim organizations. The total cost of insider threats is categorized as follows.
- Direct costs: This includes the funds required to detect, mitigate, look into, and address the threat.
- Indirect costs: This entails the value of human labor and other resources used in remediating the incident.
- Lost opportunity costs: Includes losses incurred as a result of the breach.
The total cost of insider threat incidents in 2018, 2020, and 2022 was estimated to be $8.76 million, $11.45 million, and $15.4 million, respectively.
North America is one of the major victims of insider threat incidents whose costs rose from $11.1 million to $17.53 million in a period of 4 years. The average total spending required to address a single incident shot up to 85% from 2016 to 2022.
It’s important to detect the threat early enough to avoid the devastating impact of insider threats. Otherwise, the cost involved in observing, investigating, responding, containing, and ex-post analysis could result in severe financial outcomes for your firm.
Ways to protect against an insider attack
You can take several proactive steps to mitigate the risk of insider threats. In light of the available insider threat statistics, below, we list some of the obvious measures to contain the risks.
1. Protect critical assets
Identify and safeguard both physical and digital critical assets. This includes systems, technology, facilities, and even personnel. Intellectual property, such as customer data, proprietary software, schematics, and internal manufacturing processes, is also part of this category.
Develop a comprehensive understanding of your critical assets by asking what assets are crucial to our organization. Can we prioritize them effectively? What is the current status of each asset?
2. Enforce policies
Document organizational policies clearly to facilitate enforcement and prevent misunderstandings. Ensure that every member of the organization is familiar with security procedures and comprehends their rights concerning intellectual property (IP). This knowledge will help prevent the accidental sharing of privileged content created by employees.
3. Increase visibility
Implement solutions that enable you to monitor employee actions and consolidate information from various data sources. For instance, deploying deception technology can help draw in malicious insiders or impostors, providing you with insight into their activities and intentions.
4. Promote cultural changes
Recognize that security isn’t solely about knowledge; it also encompasses attitudes and beliefs. So, educate your employees on security issues and work to enhance overall employee satisfaction to address negligence and the underlying drivers of malicious behavior. Creating a security-conscious culture can significantly reduce insider threat risks.
FAQs
Most insider threats are a result of careless insiders. Negligence plays a key role in propagating insider threats.
Some common indicators include unusual logins, excessive downloading of company data, repeated login attempts, unusual employee behavior, and an increased number of individuals with access privileges.