Insider Threat Management

The Skyrocketing Costs of Insider Threat Investigations

Share with your network!

(Updated 10/11/2020)

A recent report from Ponemon Institute found that the cost of investigating insider threat incidents has skyrocketed since 2018. What can companies do to be more efficient?

According to the new 2020 Cost of Insider Threat Report: Global, since 2018, the number of insider threat incidents has increased by 47%, while the overall cost of incidents has risen by 31% to an eye-popping $11.45M.

Conducted by Ponemon Institute and sponsored by Proofpoint and IBM, the annual report surveyed hundreds of IT security practitioners to take the pulse of insider threat costs and management. The study looked at three categories of insiders: employees or contractors; criminal or malicious insiders; and credential thieves. 

Among many interesting insights, the report demonstrated that, as the number of insider threats increases, so too does the cybersecurity cost of investigating them. 

Insider Threat Investigations Are Driving Up Costs

The 2020 report found that companies spent an average of $644,852 per incident across seven cost centers and three categories of threats: Employee or contractor negligence, criminal and malicious insiders, and credential theft.

Ponemon measured this cost through seven components of a security program: 

  • Monitoring and surveillance
  • Investigation
  • Escalation
  • Incident response
  • Containment
  • Ex-post analysis
  • Remediation

Amongst these many cost centers, Ponemon found that the cost of investigation was growing the most rapidly, with an 86% increase in three years. In Fiscal Year 2020, the average investigation cost is $103,798 per incident. In FY 2018, this number was just $73,398, and in FY 2016, it was as low as $41,461—illustrating dramatic and sustained cost increases. The report defined investigation as “activities necessary to thoroughly uncover the source, scope, and magnitude of one or more incidents.” 

Making Your Investigations More Efficient 

No company wants to spend more on investigations than necessary. Here are four areas where companies can tighten up their practices to make the investigation of security incidents more efficient and reduce costs.

1. Move Fast

According to the 2019 Verizon Data Breach Investigations Report (DBIR), 56% of security breaches go unaddressed for months. The longer a breach goes undetected or unaddressed, the more time there is to lose money or for additional breaches to take advantage of the same vulnerability. According to the Ponemon Institute’s new report, when an incident was contained in under 30 days, the average total cost per year was $7.12M. But incidents that took more than 90 days to contain racked up $13.71M in average total cost per year.

Moreover, the longer an incident goes uncontained, the more complicated the investigation will become. 

Insider Threat Tip: Set up tools that automate the detection of insider-specific security breaches, and then empower your team to move fast in the investigations phase. Alerts help to focus on where to pay attention compared to monitoring logs. 

2. Build Context into Programs

Once a company knows an incident has occurred, context is king. Without understanding the “how,” a company cannot prevent future incidents. Without understanding “why,” it’s difficult to understand the motivations and levels of threat. When the context is nonexistent or incomplete, companies may struggle to move forward with any necessary IT, HR or legal action. 

Companies can speed up the process by prioritizing contextual intelligence within insider threat management programs. When easy to access and assemble, this context can lead to swifter resolutions.

Insider Threat Tip: Use context organized in an easy to understand timeline on the user, applications, data and endpoints related to alerts to kick off investigations. Automatically generated reports can summarize the situation to share and collaborate with HR, Legal and business counterparts. The ability to visually record activity before and after the incident provides companies strong evidence of wrongdoing.

3. Hire the Right Team

Build or buy? That’s one of the big questions chief information security officers face when putting together an incident response (IR) protocol and creating a security team. Companies should honestly and clearly assess their risks, internal bandwidth, and budget. IR is a crucial part of rectifying incidents after they’ve occurred. Not every company can afford an in-house team of IR experts, but many do need more than a generalist security analyst. These personnel needs may change over time, too, as a business grows, comes to work with more or different external vendors, and expands into new global markets or verticals. 

Insider Threat Tip: The right combination of in-house security and external consultants will vary from company to company. Whether its a laser-focused in-house team or a highly-trained consultant on speed dial, every organization can benefit from an efficient system with clear roles. One thing is for sure: not having the right team and process in place will only add to insider threat investigation costs.

4. Implement “Right Fit” Tools

The last decade has seen a rise in tools and technologies. Security teams a decade ago had to sift through endless logs, correlate disparate sources, and spend hours putting together a picture of the incident. Today, advances in technology empower teams to quickly detect and understand insider threat incidents. 

Insider Threat Tip: The right tool can clearly record what happened, and create easy-to-understand timelines, visual activity replays, and provide more information necessary for security, HR, and finance teams alike. 

Reduce Insider Threat Investigation Costs with Proofpoint Insider Threat Management (ITM)

ITM allows companies to record suspicious behavior and automatically sends alerts around possible threats. Many ITM customers have been able to whittle the time an investigation takes to complete from days or weeks to mere minutes.

Insider threats are only increasing in volume and cost, and investigations are likely to continue to be a major cost center, too. This year’s Ponemon report found that investigations averaged $103,798 per incident, and that figure will probably increase in the years to come. Smart organizations can mitigate these rising costs by creating a strong framework for investigation and investing in efficient, integrated, and tech-savvy teams.

Download the 2020 Cost of Insider Threats Report today to learn more about the current insider threat landscape and to prepare your organization for the next incident.

Download the Report

How does your company benchmark against the study? Will you be adding to your insider threat management program?