News

11:41 AM
Connect Directly
RSS
E-Mail
50%
50%

Cybercrime Costs Skyrocket

U.S. businesses now face average annual costs of $11.6 million to combat cybercrime, says study.

Over the past four years, cybercrime costs have climbed by an average of 78%, while the time required to recover from a breach has increased 130%.

Those findings come from the fourth annual Cost of Cyber Crime Study, conducted by Ponemon Institute and sponsored by HP. Ponemon's researchers studied 234 businesses around the world, located in the United States, Australia, France, Germany, Japan and the United Kingdom.

In the United States, the annual cybercrime cost seen by the 60 businesses studied ranged from $1.3 million to more than $58 million and averaged $11.6 million per company -- an increase of $2.6 million from 2012. Meanwhile, the average cost of cleaning up after a single successful -- and serious -- attack was $1 million.

"What we call a 'serious attack' is one that doesn't bounce off the firewall," said Larry Ponemon, chairman of the Ponemon Institute, speaking by phone. That's a reference to the fact that businesses are typically hit with numerous attempted -- or nuisance -- attacks each day. "When it slips through that first line of defense, it's something that's measurable in our model," he said.

[ Are free, easy-to-use sites contributing to our security problems? Read WordPress Attacks: Time To Wake Up. ]

On average, each U.S. business falls victim to two successful attacks per week. All told, the 60 U.S. businesses studied collectively logged 122 successful attacks per week, which is an increase from 102 successful attacks per week in 2012. The time required to resolve a cyberattack likewise increased from an average of 24 days in 2012 to 32 days in 2013.

"The evidence suggests that things are getting worse instead of better, despite all the resources that companies are spending on cybercrime," said Ponemon.

But cybercrime costs continue to vary widely by country. The highest costs, according to the study, were seen by businesses in the United States (averaging $11.6 million per business) and Germany ($7.6 million). Both Japan ($6.7 million) and France ($5.1 million) experienced mid-range costs, while the United Kingdom ($4.7 million) and Australia ($3.7 million) saw the lowest related costs.

"We're trying to understand why there would be the national cross-country differences," Ponemon said.

One likely explanation stems from the fact that some types of attacks carry higher cleanup costs. According to the study, for example, the most costly cybercrimes are those caused by denial of service, malicious insiders and Web-based attacks. Not coincidentally, businesses in the United States were also more likely than companies in other countries to be targeted by costly malicious code and distributed denial of service (DDoS) attacks.

"The Big Kahuna in terms of cost consequence is the theft of intellectual property -- data as well as compliance costs," said Ponemon. "But distributed denial of service was a close second."

How can businesses lower their cybercrime costs? According to the study, attack costs were lower for businesses that employed technologies such as SIEM (security information and event management), intrusion prevention systems, application security testing, and enterprise governance, risk management and compliance solutions. Notably, the study reported that businesses with security intelligence programs and tools in place enjoyed an average cost savings of nearly $4 million when compared to companies not deploying security intelligence technologies.

"The real value from SIEM is really: what's my situational awareness?" said Frank Mong, VP and general manager of solutions for HP's enterprise security products group, speaking by phone. In other words, such tools help businesses to more quickly identify security vulnerabilities, systems needing patches, as well as signs of successful intrusions.

Beyond tools, Mong said, businesses must also begin sharing more information about the attacks they're seeing with other businesses. He referenced HP's own Threat Central, which he likened to "a Yelp for security intelligence." Launched last month, it's the company's first-ever crowdsourced portal designed for sharing real-time information on online attacks.

"We think that's going to be the key to winning today's war against cyber criminals -- that sharing of intelligence," said Mong. In particular, he said, businesses need better counterintelligence and to understand their adversaries better and discover harmful anomalies quicker.

Another cost-saver, according to the Ponemon report, is having enterprise security governance practices, including a high-level security leader such as a CISO, certified and experienced staff, and a sufficient budget. Such practices reduce a company's annual cybercrime cleanup costs by an average of $1.5 million, the study said.

For best results, however, businesses must employ a layered combination of the above security defenses and intelligence tools along with information-sharing techniques and governance practices. "Organizations that are doing these things -- the good news is -- it's affecting, in a favorable sense, cost," said Ponemon. "The more you do, the lower the [cybercrime] cost -- but it never gets to zero. Even if you do a regression to infinity, there's always some cost, even if you have the best security posture and are using the latest and greatest tools."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/10/2013 | 4:11:22 PM
re: Cybercrime Costs Skyrocket
No mention of PCI-DSS. Have you ever seen research demonstrating that PCI-DSS has decreased the incidence of companies storing -- or losing -- unencrypted credit/debit card data?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Apprentice
10/10/2013 | 1:06:45 PM
re: Cybercrime Costs Skyrocket
Makes sense, to me that financial service are a major target for cybercrime -- and also that industry would be spending a lot more money on protection.

I'm curious, though. Matt. Did the report make any mention of whether Payment Card Industry Data Security Standards (PCI-DSS) are having any impact on the threat landscape?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Apprentice
10/10/2013 | 1:00:51 PM
re: Cybercrime Costs Skyrocket
"Notably, the study reported that businesses with security intelligence programs and tools in place enjoyed an average cost savings of nearly $4 million when compared to companies not deploying security intelligence technologies."

That seems like a pretty respectable ROI for next gen security tools. I'm wondering if InformationWeek readers are seeing a similar payback. Thoughts anyone?
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/10/2013 | 9:51:03 AM
re: Cybercrime Costs Skyrocket
Greg, the researchers said they couldn't find clear differentiation between different industries. Although it's worth noting that businesses in the U.S. (and Germany) may spend more, simply because they're not only facing a higher volume of attacks, but tailoring their defenses accordingly. All that said, financial services firms tend to see a huge number of attacks, relatively speaking, so their spending is going to be higher.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
10/9/2013 | 2:47:04 PM
re: Cybercrime Costs Skyrocket
This numbers are alarming, to say the least. Was there any industry break down when it comes to the costs? We know that financial services is a favorite target, but how do the costs compare in FS vs retail, utilities and other areas?
WKash
50%
50%
WKash,
User Rank: Apprentice
10/8/2013 | 9:34:33 PM
re: Cybercrime Costs Skyrocket
Interesting: The highest costs were seen by businesses in the United States (averaging $11.6 million per business) and Germany ($7.6 million) vs Japan ($6.7 million) and
France ($5.1 million) and the United Kingdom ($4.7 million) and Australia ($3.7 million).

... and observation that the United States were also more likely than companies in other countries to be targeted by costly malicious code and distributed denial of service (DDoS) attacks.
I
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed