Insiders remain one of the key threats to corporate cybersecurity. But insider threats are changing: they’re becoming more frequent, trickier to detect, more damaging, and, ultimately, more costly. Industry statistics and reports on insider threats help us detect those trends and upgrade our security to combat them.

In this article, we summarize key takeaways from 2020 insider threat statistic prepared by industry experts and analyze how the data in these reports can help you understand risks and adjust your cybersecurity measures accordingly.

Whitepaper on insider threat program

Research on insider threat statistics

There are dozens of reports, studies, and surveys that contain statistics on insider attacks. Analyzing all of them is nearly impossible, so for this article, we’ve focused on the most credible reports that provide us with key statistics:

Insider threat reports considered

5 insider threat incidents from 2020


Insiders can threaten any company, regardless of its size, line of business, and level of cybersecurity protection.


The 2020 Insider Threat Report [PDF] by Cybersecurity Insiders states that 68% of organizations feel moderately to extremely vulnerable to insider attacks. And they have reason to feel that way — we’ve seen a fair share of alarming insider threats in 2020.


Let’s explore some examples of recent insider threat cases of 2020:

Insider attacks in 2020

Shopify data breach — Two members of the Shopify support team abused their access rights to obtain records of customer transactions for a little under 200 merchants. The data contained customers’ personally identifiable information. The incident caused a 1.27% drop in Shopify’s stock price.


Insider trading at Amazon — The senior manager of Amazon’s tax department was found to have been disclosing Amazon’s confidential financial data to family members so they could trade on it. The manager is accused of making $1.4 million from insider dealings.


Stradis Healthcare attack — The ex-vice president of finance at Stradis Healthcare was accused of gaining unauthorized access to the Stradis Healthcare package shipping system. He modified and deleted documents on the shipments of personal protective equipment for medics. It cost the company $5,000 to restore data and renew operations, but during the COVID-19 pandemic, even brief delays may have drastic consequences.


Twitter hack — Hackers conducted a chain social engineering attack on Twitter employees, stole their credentials, and gained access to the Twitter administrator tool. Then the attackers posted scam messages on over 130 popular profiles and got $180,000 from Twitter users before company’s cybersecurity team sealed the breach. The incident resulted in a 4% fall in Twitter’s stock price.


Attempted attack on Tesla — An insider threat with a happy ending: A Tesla employee rejected a bribe of $1 million to install malware and cooperated with the FBI to help investigate the case. In 2018, Tesla experienced sabotage that caused a 5% fall in share prices, delayed a production ramp-up, and leaked sensitive data. Infecting Tesla’s system could have led to similar results.


These are just several examples of the many insider attacks that harmed organizations financially and reputationally in 2020. Below, we analyze insider threat statistics for 2020 to find data on insider threats and effective measures to protect against them.

Read also:5 Real-Life Examples of Breaches Caused by Insider Threats

Top 4 insider threat actors

Some cybersecurity experts believe that negligent and malicious employees are the most common actors in insider attacks. For example, in its 2019 Insider Threat Report [PDF], Verizon placed careless workers and misuse of assets at the top of their threat actors list. At the same time, they didn’t even mention privileged users.


However, most of the cybersecurity community thinks otherwise. Cybersecurity Insiders surveyed [PDF] security professionals to identify the riskiest types of insiders. Here’s what types of users most of them consider the most dangerous:

The most dangerous types of insiders

Privileged users and administrators — These users are particularly threatening since they hold all the keys to the organization’s infrastructure and sensitive data. Because of their high level of access, harmful activity by privileged users is difficult to detect as they don’t break any cybersecurity rules when accessing sensitive resources.


Regular employees — Regular users are not so dangerous compared to privileged users, but they still can harm an organization. For instance, they can misuse corporate data, install unauthorized applications, send confidential emails to the wrong address, become a victim of a phishing attack, etc.


Third parties and temporary workers — Vendors, business partners, and temps may not follow cybersecurity rules and practices implemented in your organization or may violate them unknowingly. Also, hackers can breach a third-party vendor with a low level of security to get inside your protected perimeter.


Privileged business users and executives — C-level executives have access to the most confidential and sensitive information about an organization. This category of users may abuse their knowledge for insider trading, personal gain, or corporate or government espionage.

Read also:Portrait of Malicious Insiders: Types, Characteristics, and Indicators

Insider threats are becoming more frequent

Despite the rising awareness of insider-related risks and the improvement of cybersecurity tools, the percentage of insider threats keeps rising.


Forecasts of the frequency of insider threats in 2021 aren’t optimistic. Forrester predicts that the number of insider data breaches will increase by 8%, continuing the current trend:

Frequency of three types of insider incidents

The Ponemon Institute study mentioned above provides insider threat analytics that confirms: steady growth of threats has happened for three key reasons:


  • Employee or contractor negligenceHuman error is the most widespread type for security incidents, and the results of such incidents caused by human error generally cost the least to mitigate. Examples of human error are sending sensitive data to the wrong recipient, misconfiguring an environment, and using unsafe work practices. Detecting and remediating an incident caused by employee or contractor negligence costs an average of $310,000.
  • Criminal and malicious insidersMalicious insiders cause much more damage to an organization because they know everything about cybersecurity measures the organization uses and the sensitive data it protects. Leveraging this knowledge, they may steal or leak data, sabotage production, or provide hackers with access to a company’s resources. Mitigating the consequences of malicious activity costs $760,000 on average.
  • Credential theft — For hackers, stealing the credentials of a trusted employee is one of the best ways to get inside an organization’s protected perimeter. Using legitimate credentials, hackers can operate undetected inside a system for quite some time. To obtain user logins and passwords, hackers use social engineering, brute forcing, credential stuffing, and other types of attacks. Incidents that involve credential theft are the most expensive to deal with at $870,000 on average.

Case study:PECB Inc. Deploys Ekran System to Manage Insider Threats [PDF]

Now, let’s see how the rising frequency of threats influences their cost and threat response times.

The cost of insider threats keeps rising

The total cost of an insider threat includes three components:

  • Direct cost — Money needed to detect, mitigate, investigate, and remediate the breach
  • Indirect cost — The value of resources and employee time spent dealing with the incident
  • Lost opportunity cost — Losses in potential profits because of the attack


And these costs keep rising by the year.


The Ponemon Institute conducted two studies on the cost of insider threats: in 2018 [PDF] and in 2020 [PDF]. According to their reports, the total average cost of a threat increased by 31% between 2017 and 2019, from $8.76 million to $11.45 million.


Companies from North America suffer the most from insider attacks and their consequences: the average cost in this region increased from $11.1 million to $13.3 million.

The cost of insider threat

The average total spending on a single insider threat incident (including monitoring, investigation, escalation, incident response, containment, ex-post analysis, and remediation) also went up from $513,000 to $756,760.

Read also:How to Calculate the Cost of a Data Breach

The time needed to detect an insider threat has increased


The longer a threat or attack goes undetected, the more harm an insider can do and the harder it is to investigate the incident.


It’s especially challenging to detect insider-related incidents because inside actors know exactly where sensitive data is stored and which cybersecurity solutions are implemented. For this reason, some breaches may go undetected for months or even years.


Statistics on the time to detect an insider threat are different in each report. The Ponemon Institute report claims that it takes on average 77 days to detect and contain an insider attack. At the same time, surveys of cybersecurity specialists and IT administrators show that many companies are able to detect an incident within hours or just a day.

Insider threat detection times

What is the best protection strategy?

With so many cybersecurity tools on the market, it’s hard to focus on a particular line of defense and choose the software that delivers the best result with the minimum effort. One possible way to do it is by analyzing statistics on cost savings from deploying tools and implementing practices.

Average cost savings of implementing security tools and practices

Let’s see how you can implement these tools and practices with Ekran System — an all-in-one insider threat management platform.


A user behavior analytics (UBA) tool establishes a baseline for employee behavior, detects unusual activity, and notifies security personnel if someone behaves unexpectedly. UBA tools are usually based on artificial intelligence or machine learning and help security officers detect and act on the earliest indicators of a threat. For example, with Ekran System’s user behavior analytics tool, security personnel can find out if employees log in to the system at unusual hours.


Privileged access management (PAM) functionality helps you prevent insider attacks by providing privileged users with granular access to sensitive resources. Ekran System offers a robust PAM toolset that includes manual access approval procedures, multi-factor authentication, password management, and other functionality.


User training and awareness is a purely administrative activity that increases employees’ awareness of threats. Efficient user training helps to reduce the number of incidents caused by negligence and gives users enough knowledge to recognize and report threats. Ekran System can be part of security training as it informs users of actions that violate corporate security policies.

Read also:How to Build an Insider Threat Program [12-step Checklist]

Threat intelligence sharing is an industry-wide practice of exchanging information on detected risks and attacks between organizations. It allows companies to prepare for possible threats and help each other with investigations. When sharing security data, it’s important not to overshare and expose sensitive data or details of your cybersecurity. To collect data on threats, you can use Ekran System’s reporting toolset. It helps you collect and analyze data on a security incident.


Strict third-party vetting procedures are required to assess vendors’ cybersecurity levels before you start working with them. You should check how a vendor’s employees access and use sensitive data, discuss their responsibilities and practices they follow, etc. It’s important to keep an eye on third parties that have access to an organization’s infrastructure even after signing agreements with them. Ekran System allows you to monitor vendors just as easily and efficiently as other users.


Incident response management tools and procedures help an organization immediately react to an insider threat and mitigate it before it leads to considerable damage. To help security officers do that, Ekran System alerts them of suspicious actions detected during user activity monitoring. Officers can review a suspicious session in real time and block the session or a user if needed. They can also configure the software to do that automatically.


Employee monitoring & surveillance tools record any user activity within the organization’s perimeter. These tools help you detect issues with cybersecurity and employee productivity, which is especially important when working with remote employees. Ekran System ensures continuous monitoring by recording activity from users’ screens and metadata including:


  • keystrokes
  • mouse movements
  • opened files, folders, and URLs
  • connected USB devices
  • executed commands


Security officers can use Ekran System to review sessions in real time or search for records on a particular incident.


With these cybersecurity tools and practices, you’ll be able to combat and detect an insider threat and respond to it quickly and efficiently.

Case study:PECB Inc. Deploys Ekran System to Manage Insider Threats [PDF]


The latest insider threat cybersecurity statistics show today’s biggest cybersecurity challenges:


  • The cost of preventing insider attacks is rising.
  • User negligence is the most common cause of a data breach.
  • Regular users are as dangerous as privileged users.
  • Insider threat deterrence must become the dominant element in a cybersecurity system.


Implementing a complex insider risk management solution such as Ekran System helps you significantly enhance data protection and keep an eye on in-house and remote employees. Check out a demo of Ekran System to find out how it can strengthen your cybersecurity!


Whitepaper on insider threat program