Between 2018 and 2020, there was a 47% increase in the frequency of incidents involving Insider Threats. This includes malicious data exfiltration and accidental data loss. The latest research, from the Verizon 2021 Data Breach Investigations Report, suggests that Insiders are responsible for around 22% of security incidents.

Why does this matter? Because these incidents cost organizations millions, are leading to breaches that expose sensitive customer, client, and company data, and are notoriously hard to prevent.

In this article, we’ll explore:

• How often these incident are happening
• What motivates Insider Threats to act
• The financial  impact Insider Threats have on larger organizations
• The effectiveness of different preventive measures

If you know what an Insider Threat is, click here to jump down the page. If not, you can check out some of these articles for a bit more background.

1. What is an Insider Threat? Insider Threat Definition, Examples, and Solutions
2. Insider Threat Indicators: 11 Ways to Recognize an Insider Threat
3. Insider Threats: Types and Real-World Examples

How frequently are Insider Threat incidents happening?

As we’ve said, incidents involving Insider Threats have increased by 47% between 2018 and 2020. A 2021 report from Cybersecurity Insiders also suggests that 57% of organizations feel insider incidents have become more frequent over the past 12 months.

But the frequency of incidents varies industry by industry. The Verizon 2021 Breach Investigations Report offers a comprehensive overview of different incidents in different industries, with a focus on patterns, actions, and assets.

Verizon found that:

• The Healthcare and Finance industries experience the most incidents involving employees misusing their access privileges
• The Healthcare and Finance industries also suffer the most from lost or stolen assets
• The Finance and Public Administration sectors experience the most “miscellaneous errors” (including misdirected emails)—with Healthcare in a close third place

[infogram id=”industry-by-industry-1hzj4ozd35g32pw?li”]

There are also several different types of Insider Threats and the “who and why” behind these incidents can vary. According to one study:

• Negligent Insiders are the most common and account for 62% of all incidents.
• Negligent Insiders who have their credentials stolen account for 25% of all incidents
• Malicious Insiders are responsible for 14% of all incidents.

[infogram id=”pie-chart-type-of-insider-1h8n6mdx3rpz6xo?live”]

Looking at Tessian’s own platform data, Negligent Insiders may be responsible for even more incidents than most expected. On average, 800 emails are sent to the wrong person every year in companies with 1,000 employees. This is 1.6x more than IT leaders estimate.

[infogram id=”tessian-data-misdirected-emails-1hd12ykmr50x4km?live”]

Malicious Insiders are likely responsible for more incidents than expected, too. Between March and July 2020, 43% of security incidents reported were caused by malicious insiders.

We should expect this number to increase. Around 98% of organizations say they feel some degree of vulnerability to Insider Threats. Over three-quarters of IT leaders (78%) think their organization is at greater risk of Insider Threats if their company adopts a permanent hybrid working structure. Which, by the way, the majority of employees would prefer.

What motivates Insider Threats to act?

When it comes to the “why”, Insiders – specifically Malicious Insiders – are often motivated by money, a competitive edge, or revenge. But, according to one report, there is a range of reasons malicious Insiders act. Some just do it for fun.

[infogram id=”motivation-1hxr4zv8d7vq2yo?live”]

But, we don’t always know exactly “why”. For example, Tessian’s own survey data shows that 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed.  While we may be able to infer that they’re taking spreadsheets, contracts, or other documents to impress a future or potential employer, we can’t know for certain.

Note: Incidents like this happen the most frequently in competitive industries like Financial Services and Business, Consulting, & Management. This supports our theory.

[infogram id=”bad-leavers-1hzj4ozdrpq32pw?live”]

How much do incidents involving Insider Threats cost?

The cost of Insider Threat incidents varies based on the type of incident, with incidents involving stolen credentials causing the most financial damage. But, across the board, the cost has been steadily rising.

[infogram id=”cost-per-incident-1h7k23z1yvrg6xr?live”]

Likewise, there are regional differences in the cost of Insider Threats, with incidents in North America costing the most and almost twice as much as those in Asia-Pacific.

[infogram id=”activity-across-the-globe-1hd12ykmrljx4km?live”]

But, overall, the average global cost has increased 31% over the last 2 years, from $8.76 million in 2018 to $11.45 in 2020 and the largest chunk goes towards containment, remediation, incident response, and investigation.

[infogram id=”cost-by-acitivty-1h7z2lr3vllx2ow?live”]

But, what about prevention?

How effective are preventative measures?

As the frequency of Insider Threat incidents continues to increase, so does investment in cybersecurity. But, what solutions are available and which solutions do security, IT, and compliance leaders trust to detect and prevent data loss within their organizations?

A 2021 report from Cybersecurity Insiders suggests that a shortfall in security monitoring might be contributing to the prevalence of Insider Threat incidents.

Asked whether they monitor user behavior to detect anomalous activity:

• Just 28% of firms responded that they used automation to monitor user behavior
• 14% of firms don’t monitor user behavior at all
• 28% of firms said they only monitor access logs
• 17% of firms only monitor specific user activity under specific circumstances
• 10% of firms only monitor user behavior after an incident has occurred

And, according to Tessian’s research report, The State of Data Loss Prevention, most rely on security awareness training, followed by following company policies/procedures, and machine learning/intelligent automation. But, incidents actually happen more frequently in organizations that offer training the most often and, while the majority of employees say they understand company policies and procedures, comprehension doesn’t help prevent malicious behavior.

[infogram id=”training-1h7z2lr3voox2ow?live”]

That’s why many organizations rely on rule-based solutions. But, those often fall short.

Not only are they admin-intensive for security teams, but they’re blunt instruments and often prevent employees from doing their jobs while also failing to prevent data loss from Insiders.

So, how can you detect incidents involving Insiders in order to prevent data loss and eliminate the cost of remediation? Machine learning.

How does Tessian detect and prevent Insider Threats?

Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats.

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. It understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity.

1. Tessian Enforcer detects and prevents data exfiltration attempts
2. Tessian Guardian detects and prevents misdirected emails
3. Tessian Defender detects and prevents spear phishing attacks

Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.

Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way. Interested in learning more about how Tessian can help prevent Insider Threats in your organization? You can read some of our customer stories here or book a demo.