Conducted by the Ponemon Institute and sponsored by HP Enterprise Security Products, the 2013 Cost of Cyber Crime Study tosses around some arresting numbers: the average annualized cost of cybercrime incurred by a benchmark sample of US organizations was $11.56 million, with a range of $1.3 million to $58 million. That represent a 78% increase since the initial study was conducted four years ago and an increase of 26%, or $2.6 million, over the average cost reported in 2012.
Part of the additional cost is the fact that the time it takes to resolve a cyber-attack has increased by nearly 130% during this same period. The average time to resolve a cyber-attack is 32 days, with an average cost incurred during the resolution period of $1,035,769, or $32,469 per day – a 55% increase over last year’s estimated average cost of $591,780 for a 24-day period.
Overall, organizations experience an average of 122 successful attacks per week, up from 102 attacks per week in 2012. Cybercrime cost varies by company size, but smaller organizations incur a significantly higher per-capita cost than larger organizations. Organizations in financial services, defense, and energy and utilities also experience substantially higher cybercrime costs than those in retail, hospitality and consumer products.
Not all attacks are created equal in terms of expense, of course. The most costly cybercrimes are caused by denial-of-service, malicious-insider and web-based attacks, together accounting for more than 55% of all cybercrime costs per organization on an annual basis, Ponemon found.
Information theft continues to represent the highest external costs, with business disruption a close second. On an annual basis, information loss accounts for 43% of total external costs, down 2% from 2012. Business disruption or lost productivity accounts for 36% of external costs, an increase of 18% from 2012.
Meanwhile, recovery and detection are the most costly internal activities. For the past year, recovery and detection combined accounted for 49% of the total internal activity cost, with cash outlays and labor representing the majority of these costs.
“The threat landscape continues to evolve as cyber-attacks grow in sophistication, frequency and financial impact,” said Frank Mong, vice president and general manager for solutions at the HP Enterprise Security Products division, in a statement. “For the fourth consecutive year, we have seen the cost savings that intelligent security tools and governance practices can bring to organizations.”
Adversaries both specialize and share intelligence in order to obtain sensitive data and disrupt critical enterprise functions these days, driving the need for more advanced protections, like security information and event management (SIEM), network intelligence systems and big data analytics. The research found that organizations using security intelligence technologies were more efficient in detecting and containing cyber-attacks, experiencing an average cost savings of nearly $4 million per year, and a 21% return on investment (ROI) over other technology categories.
Also, deployment of enterprise security governance practices, including investing in adequate resources, appointing a high-level security leader and employing certified or expert staff, can reduce cybercrime costs and enable organizations to save an estimated average of $1.5 million per year.
“Information is a powerful weapon in an organization's cybersecurity arsenal,” said Larry Ponemon, chairman and founder at the Ponemon Institute. “Based on real-world experiences and in-depth interviews with more than 1,000 security professionals around the globe, the Cost of Cyber Crime research provides valuable insights into the causes and costs of cyber-attacks. The research is designed to help organizations make the most cost-effective decisions possible in minimizing the greatest risks to their companies.”
In addition to the fourth annual study of US companies, Ponemon conducted cyber-cost studies for companies in Australia, Germany, Japan and the UK for the second year in a row. A study of French companies was conducted for the first time this year. Of the countries surveyed, the US sample reported the highest total average cost of cybercrime, at $11.6 million, while the Australia sample reported the lowest, at $3.7 million.