Organizations spend significant time and money mitigating external security threats. While these efforts are absolutely necessary. Though organizations are primed to watch for threats coming from outside the organization, plans must be in place to mitigate insider risk.
What is an “insider” threat?
Insider threats are security risks that come from anywhere inside an organization or its trusted systems.
This typically includes a range of trusted users, including employees, contractors, business associates, partners, or vendors. Their relationship to the company gives them access to sensitive information that might include valuable intellectual property or private data that’s governed by one or more sets of regulations.
It’s important to keep this expanded view of insider risk in mind when thinking about threats, since trusted access naturally means these insiders and their actions play an outsized role in data breaches and thefts.
But not all insider attacks are the same. Each has its own set of consequences.
Accidental disclosures or mishandling
These very common events occur when an insider makes a mistake handling sensitive data but doesn’t set out with any malicious intent. This often happens when a user is careful with data storage, or when sensitive records are accidentally disclosed or sent to the wrong user.
Deliberate insider attacks
In these events, something has motivated an insider to commit a crime by tampering with, deleting, or stealing data. This can include valuable intellectual property such as trade secrets or protected PII including personal and financial records. These acts are done for a variety of reasons, including revenge, espionage, or, most commonly, financial gain.
No matter how they start, insider-driven data breaches have cascading effects that can cost millions to remediate. The price of recovery starts to rise the minute an event occurs, and the longer it takes to act, the higher the costs get everybody involved. Insider threats are especially dangerous because of how hard they can be to detect, so specialized tools for detection and prevention are crucial to any robust overall risk strategy.
How common are threats from “insiders”?
While high profile stories about the rise of ransomware and other external threats hit the headlines with alarming frequency, the impact of insider risk is on the rise too. According to a recent study, the number of insider-related incidents increased by 47% in the last two years. This increase is likely due to the growing sophistication of cyber criminals and the increasing availability of sensitive data.
Another analysis by the Ponemon Institute found insider threat incidents have increased by 44% in the last two years. Experts think this is largely driven by a dramatic shift in working habits and other changes that challenge traditional compliance measures. The cost per incident has gone up by a third since, to a staggering sum of around $15.4 million total per incident.
In June 2022, a Seattle, Washington jury found Amazon Cloud Services employee Paige Thompson guilty of a breach of Capitol One’s cloud environment that resulted in the theft of the personal data of over 100 million people, including names, birthdays, and social security numbers. While Thompson faces up to 45 years in prison, the breach (and its handling) has already cost Capitol One $80M in fines and $190M in a class action lawsuit.
And these are just the stories making the headlines. Data breaches happen every single day, often going unnoticed by anyone other than the perpetrators themselves. A study found that almost one-third of employees admit to walking away from their job with exfiltrated data. If rumors around the Great Resignation are true, that’s a lot of sensitive data in the wrong hands.
Adding up the costs of an internal data breach
While the Capital One attack was committed intentionally by a malicious insider, research by the Ponemon Institute shows that 56% of insider attacks are due to negligence. This includes naïve employees taken advantage of by hackers, but it might also be a user who ignores policies to save time. This might include emailing sensitive data to a personal email address or leaving a company device unattended in public.
According to the same report, negligent data breach incidents are found to cost an average of $484,931 per incident. Following negligent breaches are incidents related to malicious insiders at 26%. These are criminals that have intentionally performed cyberattacks. They are generally harder to detect, which is why the average cost for this type of incident is higher, at $648,062.
Direct and indirect costs
As organizations work to make informed decisions on combating insider threats, it’s important to get a full picture of the total costs of an insider breach. While many of the costs are obvious and easy to calculate, some can be harder to quantify.
- Direct costs. Direct costs are the easiest to understand. They cover everything associated with detecting, mitigating, and recovering from a breach. This includes post-breach investigations as well as notifications, training, and anything else required by regulations, including:
- Detection and forensic investigation software
- Legal fees from lawsuits from consumers, customers, and partners
- Regulatory fines/penalties from one or more jurisdictions
- Public relations and outreach
- Customer outreach and credit fixing services
- Indirect costs. The indirect costs arising from an incident include a lot of consequences that take place beyond the up-front costs of detection and recovery and dealing with regulators. These costs include business disruption or downtime and harder to quantify damages to reputation and revenue over time.
- Diminished employee productivity
- Technology deployed as part of incident response
- Governance and controls deployed post-incident
- Opportunity cost
- Shareholder lost
Looking back at the Capitol One breach, we can see the direct costs paid by the company are already astronomical at more than $250M—even their lawyers asked for $65M in fees. Additionally, shareholders, following the 2019 court award, lost nearly $46B in market value.
As we add up the costs from all sides, direct and indirect, the price tag for a single insider threat continues to rise. Extrapolating what we know about the indirect cost of these insider breaches, it’s easy to see total losses, direct and indirect, of over $1B from the Capital One breach.
How do you prevent insider breaches? Qostodian Prime can help.
As the cost of non-compliance continues to escalate, there is good news. Qostodian Prime automates essential data protection and compliance workflows, giving stakeholders a unified view of sensitive data across the environment. The same platform gives compliance time a real-time view of sensitive data as it moves across the organization—and monitors users as they interact with it.
Organizations must take insider threats seriously and move to act. While the price of security and compliance modernization can be high, it will always be a small fraction of the total cost of doing nothing. Qohash can help you take the smartest next step.