The Shocking Cost of Insider Risk in 2025—and What You Can Do About It

They’re not the hackers on the news. They’re the ones already inside.

In 2025, insider risk is no longer a fringe concern. It’s a business-critical reality.

According to the new 2025 Cost of Insider Risks report by Ponemon Institute and DTEX, organizations now face an average annual cost of $17.4 million from insider-related incidents—up from $16.2M in 2023.

That’s a 40% jump since 2020.

And it’s not just the money—it’s the scale and invisibility of the threat:

• 101 insider incidents per year, on average
• 86 days to contain each incident
• The majority caused not by malice, but negligence

Let’s unpack what this means—and how you can respond.

The Real Enemy? Negligence

The data is clear: most insider incidents aren’t caused by spies or disgruntled employees.

They’re caused by people trying to do their job—fast.

❗ 56% of insider risk incidents come from negligent insiders

❗ Only 25% come from malicious intent

❗ 19% stem from credential theft

The real problem? It’s harder than ever to tell the difference.

If someone downloads a customer list at midnight, are they working late, or exfiltrating data?

If someone connects a new AI tool to company files, are they boosting productivity or creating a new attack surface?

You can’t rely on role or title alone. You need to understand each person’s normal pattern of life.

Why It’s Getting Worse

Three trends are making insider risk harder to contain:

🔀 Hybrid Work: People move between home and office, personal and work devices, public and private networks. Visibility gaps grow.

🤖 Shadow AI: Employees adopt productivity tools that IT doesn’t approve. These tools often connect via OAuth and sit outside traditional DLP systems.

🧹 SaaS Sprawl: The average company now uses over 300 SaaS apps, and many are connected without oversight. A single risky app can act as an unmonitored exfiltration path.

The result? You’re flooded with noise. And attackers hide in plain sight.

What To Do Instead

Visibility matters. But so does context.

Start here:

1. Build Identity-Centric Baselines

Track how each user normally behaves. When do they log in? From where? Which apps do they access? What devices do they use?

2. Score Risk by Behavior, Not Role

A junior employee using 5 unsanctioned tools and uploading gigabytes of data is riskier than a CTO behaving normally.

3. Look for Anomalies in the Pattern of Life

The goal isn’t to flag every late-night login. It’s to spot deviations that matter—like new devices, new app connections, or unusual data movements.

4. Map Shadow IT and Shadow AI

Most data exfiltration doesn’t happen through email. It happens through personal drives, OAuth connections, and unsanctioned platforms.

5. Don’t Just React—Prevent

Use SSPM and user behavior analytics tools that can detect, investigate, and predict insider risk based on real usage.

Final Thoughts: It’s Time for User-Centric Security

Insider risk isn’t just an HR problem. It’s not just a SOC problem. It’s a visibility problem.

The new Ponemon report makes it clear: reactive approaches aren’t working.

You need to see your environment through the lens of your people, not just their roles, but their behaviors.

Every identity tells a story. If you’re not listening, you’re already behind.

Want to learn how FrontierZero helps map identity patterns, shadow tools, and behavioral risk?📥 Start a free trial or contact our team today.