Lessons Learned from the 2026 Global Cost of Insider Risks
By Dr. Larry Ponemon, Chairman & Founder, Ponemon Institute
The 2026 Cost of Insider Risks: Global study, sponsored by DTEX, is the seventh benchmark study conducted to understand the financial consequences of insider threats. As defined in this research, an insider-related incident is one that results in the diminishment of an organization’s core data, networks or enterprise systems. It also includes attacks perpetrated by external actors who steal the credentials of legitimate employees/users (i.e. imposter risk).
Since the 2018 study, the number of organizations represented in the research has more than doubled from 156 to 354 in 2025 and the average number of incidents discovered and analyzed in this research increased from 3,269 to 7,490 in 2025. A challenge to minimizing the threat is the need to implement a comprehensive strategy that addresses all the different types of insider incidents caused by careless or negligent employees or contractors, criminal or malicious insiders or credential thieves.
According to the research, organizations are not making progress in reducing the cost and frequency of insider threats face. In the 2024 research, 57 percent of companies experienced between 21 and more than 40 incidents per year. This year, 68 percent of organizations had between 21 and more than 40 incidents.
To reduce costs, the insider incident should be contained as quickly as possible. An average of $247,587 is spent to contain the consequences of an insider incident. The faster containment occurs, the lower the cost. If it takes more than 90 days, the average cost is $21.9 million. If it takes less than 30 days, the average cost is $14.2 million. While the average time to contain the incident decreased significantly in 2025 to 67 days from 81 days in 2024, only 13 percent of incidents were contained in less than 30 days.
The following are lessons and recommendations learned from this research.
Prioritize reducing the risks caused by negligent insiders because it is the root cause of most incidents. The average number of negligent insider incidents is 13.8 in this year’s study and the average cost for each incident is $747,107. There are a variety of reasons employees can put their organizations at risk. These include not ensuring their devices are secured, not following the organization’s policies for safeguarding sensitive and confidential information and forgetting to patch and upgrade to the latest version.
Improve the ability to detect risks created by malicious insiders. Malicious insiders are employees or authorized individuals who use their data access for harmful, unethical or illegal activities. Because of their potentially wider access to an organization’s sensitive and confidential data, malicious insiders are harder to detect than incidents caused by external attackers or hackers. Malicious insiders accounted for an average of 6.3 incidents and the average cost per incident of $742,125.
To reduce costs, focus on preventing credential theft. The intent of the credential thief is to steal users’ credentials that will grant them access to critical data and information. These attackers commonly use phishing. These incidents average $842,462 per incident, an increase from $779,707 in 2024 and continues to be the costliest. The average number of credential theft incidents increased from 4.8 in 2024 to 5.3 in 2025.
Preventing credential theft requires a multi-layered security approach, by implementing phishing-resistant multi-factor authentication (MFA), using unique passwords via password managers and conducting regular security training to recognize phishing. Organizations should also enforce zero trust policies and deploy monitoring tools to detect anomalous login behavior.
Certain technologies and activities can reduce costs. According to the research, privileged access management (PAM) can save an average of $6.1 million and user behavior analytics (UBA) saves $5.1 million.
Technology and disruption or downtime are the most significant financial consequences when dealing with insider incidents. The research presents the average percentage of insider cost for careless or negligent employees, criminal insiders and credential theft according to the following seven consequences: Disruption cost (downtime), direct & indirect labor, technology, cash outlays, process/workflow changes, revenue losses and overhead.
The cost incurred by technologies represents 30 percent of the average cost of financial consequences. These are technologies used to respond to the insider incident and includes the amortized value and the licensing for software and hardware that are deployed. Business disruption includes diminished employee/user productivity and represents 19 percent of the average cost of financial consequences.
Five signs that your organization is at risk
- Employees are not trained to fully understand and apply laws, mandates, or regulatory requirements related to their work and that affect the organization’s security.
- Employees are unaware of the steps they should take to ensure that the devices they use—both company issued and BYOD—are always secured.
- Employees send highly confidential data to an unsecured location in the cloud, exposing the organization to risk.
- Employees break your organization’s security policies to simplify tasks.
- Employees expose your organization to risk if they do not keep devices and services patched and upgraded to the latest versions.
To learn more about how to adopt a proactive approach to reducing the insider risks, the full report can be downloaded https://ponemon.dtex.ai/.