The types of security risks that organizations face vary in nature, which is why there’s such a push for all types of businesses to take a holistic approach to information security.  Not only do businesses deal with the continuous evolution of threats, but they also deal with vulnerabilities that are hard to manage and resolve.  One of these types of weak spots is insider threat.

 

With the growth of insider threats and the fact that they are related to people working within or with the enterprise, this makes them that much more difficult to address.  It also makes them some of the most expensive to deal with.

 

A recent Ponemon Institute study finds that organizations are spending an average of $4.3 million annually to mitigate, address, and resolve insider-related incidents.  Even more astounding is that some of the most significant cases of insider threat costs surpass $17 million annually.

 

The time it takes organizations to contain insider threat incidents according to the study is more than 90 days for 28% of organizations, 61 to 90 days for 30% of organizations, 30 to 60 days for 22% of organizations, and less than 30 days for 20% of organizations.  The average time to contain insider related incidents was found to be 65.4 days.  The study also showed that the total annualized cost for an incident lasting more than 60 days averaged $4.5 million and went up to $5.7 million after 90 days.

 

So, the perception that external forces are the biggest threat to organizations is inaccurate.  The effects that insider threats pose to organizations from mitigation and detection through resolution and investigation can be just as devastating as external breaches.  No matter how an organization’s data is taken the consequences businesses encounter are the same.

 

Also important to note is the fact that insider threat is not only driven by malicious employees; actually a significant portion of insider risks is due to carelessness.  Well-intentioned employees don’t always understand how they’re putting company data at risk and unfortunately, that doesn’t make these types of incidents any less expensive.  The annual cost of insider incidents caused by business partners or employee negligence can be an average of nearly $2.3 million.

 

The importance of this information is to acknowledge the need to create a company culture around data security and to build partnerships with businesses who take security seriously.  If organizations continue to focus on external threats instead of realizing the need to get their entire company and collaborators on board with security; they can be prepared to defend against one type of breach, but will still be vulnerable to other types of breaches that are just as costly.

 

Another takeaway from the study is the fact that legacy solutions aren’t enough to reduce costs and protect from insider threats.  The study found that data loss prevention, user awareness and training, and network intelligence, which are ranked among the most frequently deployed tools; are among the lowest recorded in incremental cost savings.  For example, network intelligence and user training only yielded $0.3 million in incremental cost savings.

 

The only way organizations can really save on breach costs and be prepared to quickly address and resolve breach is if they stop thinking of information security as fragmented, and invest in a solution that takes into consideration people, process and technology.  When this happens then external and insider threats will be treated the same.  Businesses will build a risk management posture that takes into consideration every type of security threat and not just a part of them.

 

Although it may seem like businesses are making cost-effective data security decisions, when that investment doesn’t involve a well-rounded information security plan, it’s only a matter of time till breach costs cause twice the spending.

 

Get risk management on the right track, invest in information security in a way that doesn’t come back to bite you later on.  If you’re not sure where to start, schedule a call and let’s talk about your specific needs!  We’re only a click away.

 

Photo courtesy of Maksim Kabakou