ProofPoint global report: cost of insider threats

A total of 6,803 insider incidents were reported with an average annual cost of $15.4 million

This year’s ProofPoint global report (conducted by Ponemon Institute) on the cost of insider threats has a twofold goal — firstly, to understand the financial consequences of insider threats, secondly, to gain perspective on how organizations are managing these risks. ProofPoint’s first report in 2016 studied insider threats solely from companies in North America. The 2022 report includes companies from Europe, Middle East, Africa and Asia-Pacific. 

A total of 1,004 IT and IT security practitioners from 278 organizations were interviewed. These selected organizations have experienced one or more material events caused by an insider threat. Insider-related incidents are defined as resulting in the diminishment of a company’s core data, networks or enterprise systems. This also includes attacks perpetrated by external actors who steal the credentials of legitimate employees. These organizations are from the commercial and public sector. They also have a central IT function with control over on-premise and/or cloud environment. They report a total of 6,803 insider incidents with a total average annual cost of $15.4 million. 


The report defines insider threats as follows: 

  • A careless or negligent employee or contractor 
  • A criminal or malicious insider 
  • A credential thief

The most significant finding is that the number of insider threats and the time taken to contain them has increased. It now takes an average of 85 days, as opposed to 77 days from the 2016 report. Incidents due to negligence makes up the biggest proportion of reported incidents (56%). 

Incidents relating to user credential theft makes up the smallest proportion of reported incidents (18%), but has the highest average cost per incident ($804,997). Interviews with research participants also revealed credential thief threats as the biggest concern. 55% of respondents say they are most concerned about a hacker stealing the valid credentials of an employee.

Respondents are foremost concerned with data being stolen from unmanaged IoT devices. Corporate email was reported to be the storage place of mass amounts of sensitive data. Respondents say employees keep critical business information such as personally identifiable information (PII) and intellectual property (IP) in their email inboxes. Besides stealing data, malicious insiders also posed a threat by emailing sensitive data to outside parties followed by scanning for open ports and vulnerabilities. 

Mitigating Insider Threats

The prevalence of digital devices and digital transformation makes it ever so necessary to combat data threats. The report suggests organizations to implement a people-centric Insider Threat Management (ITM) program. This program should be designed for both in-office and remote workers (including those working-from-anywhere). An effective ITM program committee benefits from cross-team collaboration with members from departments such as IT, HR, compliance and legal.

The traits of a successful ITM program are as follows: 

  • Visibility: Clarify the organisation’s data movement process to all employees. Doing so provides opportunities to speed up the organisation’s mean time to detect (MTTD) and mean time to respond (MTTR)
  • Consistency: Periodical evaluations of the organisation’s risk and possible high-risk insiders will allow the committee to identify threats and develop strategy plans. 
  • Transparency: Forging a supportive environment and encouraging members to learn from past lessons, facilitates an organization to evolve with the ever-changing risk landscape.