TL;DR: Insider Threats can cost businesses $8M+ annually. In this post, we share three better ways to invest that money: hiring, training, and real-time user education.
The Ponemon Institute’s report, “2018 Cost of Insider Threats: Global Organizations,” found that the average cost of an Insider Threat annually is $8.76 million. Costs vary based on industry, organization size, and the type of threat (negligence, credential theft, etc.) Regardless of the nature of the threats, that’s a lot of money that could be better spent on hiring, training, tools, and proactive security approaches.
Today, we want to share three ways that money saved on Insider Threat incidents could be put to better use.
Hire an Insider Threat Expert (or Team)
Insider Threats are peculiar. They have the capability to do quite a bit of damage, but they can also be reduced dramatically using user training and awareness techniques that don’t have nearly the same impact on external threats. Because Insider Threats are such a unique and tricky beast, hiring an internal Insider Threat expert—or heck, a whole team—could be a very smart move. This is especially true in industries that are frequently targeted with insider attacks (such as financial services, energy and utilities, and manufacturing) and/or those with high regulatory burdens (such as healthcare).
The Cost: Insider Threat specialist salaries range from about $70,000 - $115,000 in the U.S. If you saved $8.76 million by avoiding Insider Threat incidents, you could hire 76 full-time employees at the top salary range.
Train Your Current Employees
If hiring an Insider Threat team doesn’t make sense for your current business size, maturity, or industry, another great option is to invest in training your current employees. Security analysts or IT personnel will often benefit from in-person or online Insider Threat training. This can give them the skills and insight needed to become specialists, propelling their careers forward while continuing to strengthen your business’s best line of defense.
The Cost: The Insider Threat Defense Group’s two-day training courses range from $971 to $1,295 per person. If you saved $8.76 million by avoiding Insider Threat incidents, you could send 6,764 of your employees to receive this training. Additionally, an Insider Threat platform like Proofpoint ITM often offers training as part of the onboarding process, helping teams get up and running faster with a dedicated Insider Threat tool.
Invest in Real-Time User Education
While we highly recommend providing Insider Threat awareness training during onboarding and on an ongoing basis for employees and third-party contractors, the most powerful time to receive feedback about potential security violations is when they happen. Investing in real-time user education is the best way to decrease Insider Threat incidents, because we know that the majority of them happen out of negligence. Simply being reminded in the moment (and, if necessary and appropriate, blocked from taking further action) is enough to deter the majority of Insider Threat incidents from happening at all.
The Cost: Real-time user education is built into the Proofpoint ITM platform at no additional cost. Proofpoint helps teams block out-of-policy user activity, using policy reminders, warning prompts, and robust app-blocking controls.
Re-Investing Saved Insider Threat Dollars
As you can see, we believe in investing money saved on Insider Threats on preventative security measures, particularly hiring and training, that stand the best chance of reducing your business’s risk profile over the long haul. While we don’t actually recommend sending more than 6,000 of your employees off to Insider Threat training, we certainly advocate for hiring specialists, training internal personnel, and providing users with relevant, timely education that cuts down on negligent Insider Threat incidents. These measures can make a dramatic difference, especially for businesses that operate in high-risk sectors for Insider Threats.
How do you plan to invest money saved from Insider Threats?
Subscribe to the Proofpoint Blog