Organizations understand the value of a risk assessment, especially as they work to create strategic plans to minimize the risk of data loss. The global shift to expanded remote work following the onset of the pandemic raised a number of questions around working practices and ensuring employee adherence to organizational risk tolerance. Specifically, it led to a broader realization that the insider threat, whether the insider is an employee or third-party partner or vendor, is a risk area many organizations continue to overlook.
Whether intentional or not, the risk of an insider threat incident is very real. Yet, the risk level is often minimized until it’s too late. And for most organizations, “too late” can have a significant financial impact on the business. According to research from Ponemon Institute, the average global cost of insider threats rose by 31% from 2018 to 2020 to $11.45 million.
Organizations that implement an insider threat management (ITM) program can improve their overall security posture, brand reputation and bottom line. Creating an effective program requires understanding the three primary insider threat profiles and gaining stakeholder buy-in to ensure the program is supported from the top-down.
The Three Insider Threat Profiles
There are three distinct insider threat profiles: negligent, compromised and malicious.
The negligent insider threat profile
A negligent insider, also known as the “accidental insider threat,” is an employee or contractor who makes a mistake that unintentionally results in a data loss incident. Negligent insiders comprise 62% of all insider threat incidents and cost individual organizations an average of $4.58 million per year.
To mitigate the risks associated with the negligent insider, organizations need to implement a continuous employee education program focused on cybersecurity best practices. Consistent reminders about the do’s and don’ts of cybersecurity can help increase the security posture of an organization and reduce the risk of an accidental insider incident.
The malicious insider threat profile
A malicious insider is an employee or contractor who intentionally exposes the organization’s data for financial gain or out of spite—causing damage to an organization from the inside. On average, the per-incident cost is about $756,000, which accounts for a total of $4.08 million in average losses per year for a single organization, representing 23% of all insider threats.
Mitigating the malicious insider requires increased visibility and data protection to monitor high-risk users and third parties. An ITM program must also be in place to encourage employees to report when something looks suspicious.
The compromised insider threat profile
A compromised insider is an employee whose login information or other credentials have been compromised. This results in unintentionally enabling threat actors to gain unauthorized access to applications and systems.
Compromised insiders often cause the most damage compared to the other two insider threat profiles. This profile makes up the smallest percentage of insider threat incidents but costs organizations about $871,000 per incident and about $2.79 million per organization each year. That’s three times more per incident than a negligent insider incident.
Similar to the negligent insider, the best way to mitigate the risks associated with the compromised insider is consistent employee education and communication around cybersecurity best practices.
Each threat profile requires a unique approach to detection and response, beyond leveraging an ITM program. But the end result is the same if these risks aren’t addressed: data loss. And that, in turn, can lead to significant financial loss and generate a decline in the business’s reputation.
An effective ITM program requires stakeholder buy-in
There are significant costs associated with the risk of insider threats, and insider threats and data loss go hand-in-hand. But there is frequently an awareness gap between IT and security teams and the business stakeholders.
Most leadership teams within organizations believe that ITM falls to the security team since they are often tasked with monitoring the network for unusual activity. But this is a myth. The most effective ITM programs require collaboration across technical and non-technical teams.
Consider, for example, the various departments that need to be involved when an insider threat incident takes place. The HR team is likely involved to manage the employee(s) related to the incident; the legal and compliance teams are likely involved to manage the impact to the company; and the communications team is likely involved to manage the internal and external communications plan to control the message and ensure the information is shared in a clear and measured way. This work all needs to happen seamlessly and simultaneously. And, with everyone in the loop, the security team can make the incident investigation, containment, and response process faster and more effective.
Additionally, the ITM program needs to be a working objective within quarterly goals. This ensures ITM finds a place on the list of executive priorities. There are a number of moving pieces within an ITM program, and teams can find themselves facing roadblocks and budget constraints when stakeholders aren’t aligned to the overall goal.
But when an ITM program is defined and established as a holistic goal, one that has a customized approach to support an organization’s unique culture, processes and business needs, stakeholders are more likely to engage with it. This ensures the security team is equipped with the tools they need to gain greater visibility into user, data, and threat signals, so they can streamline resource efficiencies and reduce associated spend management. That also helps the ITM program contribute more effectively to achieving broader organizational goals.
Finding the right fit: The ROI of Proofpoint ITM
There’s an obvious financial benefit to implementing an ITM program to mitigate insider threat risks. But the biggest impact on your ROI relates to identifying the right ITM program for your organization.
Proofpoint Insider Threat Management (ITM) uses a people-centric approach to user risk analysis. Unlike traditional perimeter-based cybersecurity programs, Proofpoint ITM focuses on user activity and data movement. It’s only after identifying risky user behavior that an analyst will investigate the user behind it. After all, data doesn’t move itself; people move data. And in today’s work-from-everywhere, cloud-based and mobile world, data no longer stays within the traditional four walls of an organization.
Additionally, with Proofpoint ITM, security teams can effectively gather evidence around various alerts. If the evidence is confirmed, the security team can export the evidence into an easy-to-understand report. This ensures information can be shared faster and in a more digestible format with the various cross-departmental teams involved in the ITM program, enabling the group to make more informed decisions about what to do next.
Effectively monitoring data movement and gaining visibility to understand the context around why data is moving a certain way can drastically improve an organization’s ability to detect and respond to an insider threat.
Proofpoint ITM also helps organizations comply with today’s strict data protection and privacy regulations with capabilities including user anonymization, Watch the Watcher mechanisms, strong data security, customizable data exclusion policies, role based access controls (RBACs) and a comprehensive audit trail. These features enable security teams to meet the organization’s cultural standards and privacy requirements in GDPR, NIST and other cybersecurity regulations.
The Proofpoint ITM platform offers organizations a unique approach to mitigating insider threats and an opportunity to realize significant ROI. Enterprise Strategy Group (ESG) analyzed the ROI of Proofpoint ITM and found that the platform reduces insider threat costs by nearly $400,000 per month (for a 10,000-employee organization) and delivers a 695% three-year return.
Download the Frost & Sullivan Report, Building the Business Case for Insider Threat Management, and try out our ROI Calculator to see the value Proofpoint ITM can bring to your organization.