From data leaks and cybersecurity incidents enabled by careless users to the malicious theft of intellectual property (IP) or even workplace violence, insider threats continue to pose a significant risk across industries and geographies.
Surveys across private sector organizations indicate a nearly 50% increase in insider incidents between 2020 and 2022, likely attributed to the way in which employees’ work changed during COVID, e.g., remote and hybrid workstations.
1These trends have escalated post-COVID, with some surveys reporting up to 83% of organizations experiencing at least one insider incident in 2024, an increase from 60% in 2023. 2Notably, these surveys typically focus on cyber- and IP-theft related insider incidents. If the definition of insider threat incidents is expanded to include sabotage, corporate espionage, nation-state threats and workplace violence, the total number of incidents and companies impacted may be even higher. Bottom line: insider threats are a growing and evolving risk, and organizations need to be aware and prepared for the continued increase in incidents regardless of the industry in which they operate.
The financial and reputational costs of any type of insider event can be significant. A single event has the potential to cost a company tens of millions of dollars when remediation, lost revenue and litigation fees are tallied. Meanwhile, the reputational costs and damage can endure for years.
In 2024, the total average cost of an insider incident was $17.4M USD, with the highest activity cost incurred to remediate the incident. 3This suggests that a proactive approach not only protects against threats, but also helps reduce the high financial costs associated with containment and incident response efforts.
With companies placing added attention on insider risk programs and preventative measures, why do insider threat incidents continue to not only persist, but increase year on year?
More often than not, insider threat programs, where they exist, are oriented predominantly or exclusively towards detecting anomalous network activity indicative of potential insider issues, namely data loss, and ensuring that careless employee behavior does not compromise an IT network. While these IT and cybersecurity focused controls are a vital component of insider threat mitigation, they cannot serve as a company’s sole line of defense against insider risk. These types of controls are too often reactive in nature and ignore a vital component of insider threat – the person behind the incident.
The human factor in the workplace is more important now than ever, given indicators that employee populations are more lonely and less engaged than at any point since at least 2014. According to Gallup’s 2024 State of the Global Workplace survey, one in five employees globally reported feeling loneliness for a significant period during the previous day. The same survey found that overall wellbeing – a measure of current and future self-reflection – declined to 34% in 2023, with disproportionately higher declines seen in workers under 354.
In the U.S., these figures are compounded by increased societal stress, continued cost of living pressures and worsening mental health indicators. These factors, taken in totality, can contribute to employees’ overall stress levels and may exacerbate factors that contribute to an individual becoming an insider threat, whether intentionally or unwittingly. This underscores the importance for organizations to adopt a proactive, predictive approach to insider threat prevention that takes into account whole-person indicators of a potential risk.
What does “right” look like?
The most effective insider risk programs should take a multidisciplinary approach to prevention, oriented towards detecting signs an employee may be at risk before they commit an insider incident. A multidisciplinary approach involves forming a team of stakeholders comprised of digital security, corporate security, intelligence, human resources, legal, ethics and compliance experts who are trained in threat detection methodologies and focused on prevention rather than just detection. This team acts as a company’s insider risk advisory committee and first responders, advising on employee training, establishing mechanisms to report behaviors of concern and supporting investigations into individuals who may pose a threat.
This approach improves prevention in a number of important ways:
- It educates employees on how to identify a host of threats beyond careless acts on an IT system – from nation-state approaches to corporate espionage to signs a colleague is in distress and needs support. This mindset also establishes systems to report such behavior in a way that emphasizes compassionate intervention to forestall an incident.
- It ensures a company has a team of trained threat detection specialists who also serve as experts on areas where insider related issues can manifest, including in cybersecurity, physical or corporate security, and human resources.
- It changes a company’s culture from one that is reactionary to one that proactively identifies threats and works to mitigate the risks ahead of an incident.
- It creates a team that can oversee an annual insider risk assessment to brief the C-suite and board on internal and external factors impacting a company’s insider risk profile. They also provide recommendations on how to mitigate those risks ahead of time. Factors can include planned layoffs, company reorganizations or development of new intellectual property, or acquisition of a competitor, to name a few.
- It detects employees planning to leave the organization by identifying both technical indicators (e.g., file transfers, accessing sensitive data, IP theft) and behavioral signs of dissatisfaction (e.g., increased absenteeism, decreased productivity, changes in behavior, complaining).
Ultimately, a people-focused, multidisciplinary team approach to preventing insider threat is key to driving down incident rates and the corresponding costs to business.
- https://www.stationx.net/insider-threat-statistics/ ↩︎
- https://securityintelligence.com/articles/83-percent-organizations-reported-insider-threats-2024/ ↩︎
- https://ponemon.dtexsystems.com/ ↩︎
- https://www.gallup.com/workplace/349484/state-of-the-global-workplace.aspx ↩︎
Jenn Christian
Jenn Christian is a Senior Director in FTI Consulting’s Risk & Investigations practice. Ms. Christian has over 15 years of experience in national security, geopolitical risk management, international law, and threat assessment in the public and private sectors. She has significant on the ground experience working across jurisdictions in sub-Saharan Africa and Latin America, including on national security issues and matters related to oil, gas, and low carbon energy business development, compliance and operations.
Mike Driscoll
Mike Driscoll is an experienced executive with nearly 30 years of leadership and investigative experience in cybersecurity, intelligence, white-collar crime and national security. Mr. Driscoll leads the National Security offering at FTI Consulting and works closely with clients to provide comprehensive solutions that protect their national interests.
