The study, sponsored by IT security vendor ArcSight, surveyed 45 US companies for a window of four weeks, over the course of nine months. While the first ever Cost of Cyber Crime Study revealed a vast range, the average bill for the organizations that participated came in at $3.8 million per year, which factored in the costs of information loss, disruption to business, equipment damage, and lost revenue, among others.
Information loss, such as customer and employee data, made up the largest portion of external costs (42%) according to the cyber crime survey, whereas labor – both direct and indirect – chewed up 49% of the internal bill associated with a cyber crime incident response.
The survey found that the hardest hit sectors were defense, energy, and financial services, which “experience substantially higher costs” per organization. For example, cyber crime, on average, cost companies in the retail sector $2.77 million per year, while financial services companies boasted a bill of $12.37 million.
“Cyber crime is a big problem for companies”, said Institute founder Larry Ponemon. He added that although the finance sector was not the main focus of the study, “financial service organizations are generally more susceptible to higher cyber crime costs because of the stealth and sophistication of attack methods, especially against retail banks”.
What the survey revealed is organizations that invest in IT security will actually realize some cost savings by reducing their exposure to cyber criminals. Ponemon’s research showed that, when factoring in an organization’s security posture, those that were in the top quartile reported spending half as much over the year to resolve cyber attack incidents.
“Cyber crime is expensive and frequent”, concluded the Institute’s founder and chairman. “However, cyber crime cost can be moderated by enabling technologies and good governance practices.”