Cost of Cybercrime for Companies Spikes 96%

The average annualized cost of cybercrime incurred by US organizations is a whopping $12.7 million, which represents a 96% increase since the study was initiated five years ago.

According to research from the Ponemon Institute, the average cost incurred to resolve a single attack now totals more than $1.6 million. That’s an increase of 9% or $1.1 million over the average cost reported in 2013. Even worse, the range for that cost can be as high as $61 million.

The highest annual cost per organization was reported in the energy and utilities and defense industries. But the retail sector alone has more than doubled when compared to average cost over the five year period—unsurprisingly considering the ongoing data breaches in that space.

Organizations in the study said that they have experienced a 176% increase in the number of cyber-attacks this year, with an average of 138 successful attacks per week, compared to 50 attacks per week when the study was initially conducted in 2010.

“This year’s report shows us once again that not only is the frequency of cybercrime increasing but so is the cost to organizations around the world,” Tony Caine, vice president and general manager for enterprise security EMEA at report sponsor HP, told Infosecurity.

He added, “What we’re seeing is that companies are still relying on a ‘silver bullet’ approach to cybersecurity – in that they are investing in defenses designed to mitigate specific threats. However the adversary is constantly evolving and has unlimited patience and resource – they only need to get it right once.”

Interestingly, the most costly cybercrimes are those caused by denial of services, malicious insiders and malicious code. These account for more than 55% of all cybercrime costs per organization on an annual basis.

That said, information theft continues to represent the highest external cost, and accounts for 40% of those (actually down 2% from the five-year average). That’s followed by the costs associated with business disruption and lost productivity, which account for 38% of external costs (up 7% from the five-year average).

The results also revealed that the time it takes to detect and resolve a cyber-attack has increased by 33% during the last five years, to 170 days. The longest average time segmented by type of attack was 259 days, and involved incidents concerning malicious insiders.

Once detected, the average time to resolve a cyber-attack is about 45 days.

Recovery and detection are the most costly internal activities, accounting for 49% of the total annual internal activity cost, with cash outlays and direct labor representing the majority of these costs.

And what about strategies for making these numbers a bit brighter? In general, the report points out that adversaries need to be successful only once to gain access to data, while their targets have an ongoing burden in stopping the barrage of attacks their organizations face each day. There are steps to take to be better prepared, though.

“An infrastructure is only as secure as its weakest link and in many cases this is caused by human error matter the complexity of the defenses in place, basic security procedure still needs to be carried out – secure passwords and increased workforce awareness,” Caine said.

Art Gilliland, senior vice president and general manager for enterprise security products at HP, added, “No amount of investment can completely protect organizations from highly sophisticated cyber-attacks, but improving and prioritizing your organization’s ability to disrupt the adversary with actionable  intelligence solutions such as SIEM, can significantly improve attack containment and reduce the overall financial impact.”

What’s Hot on Infosecurity Magazine?