The cybercrime study, conducted by the Ponemon Institute and sponsored by HP’s ArcSight, found that the average time to resolve a cybercrime is 18 days, with an average cost to organizations of nearly $416,000. This represents a nearly 70% increase from the estimated cost of $250,000 over a 14-day resolution period in last year’s study. Results also showed that malicious insider attacks can take more than 45 days to contain.
“The cost of cybercrime has increased substantially on an average basis. Basically we know that the frequency of attacks has also increased”, Larry Ponemon, chairman of the Ponemon Institute, told Infosecurity.
Over a four-week period, the organizations examined experienced 72 successful cybercrime attacks per week, an increase of nearly 45% from last year. Also, more than 90% of all cybercrime costs were caused by malicious code, denial of service, stolen devices and web-based attacks.
This year’s cybercrime report is based on a representative sample of 50 organizations in various industry sectors, compared to 45 organizations in last year’s study. The annual cost of cybercrime in the 2011 report ranged from $1.5 million to $36.5 million per organization. Ponemon said that the average headcount for the organizations in the study is between 5,000 and 10,000 people.
“Organizational cost is associated with security posture. We measure that by a metric called the security effectiveness score. What we found was that the stronger the security effectiveness score, the lower the total cost of cybercrime”, Ponemon said.
The Ponemon Institute developed the security effective score (SES) with PGP Corporation to define the security posture of organizations. The SES is derived from the rating of 24 security features or practices.
On an annualized basis, information theft accounts for 40% of total external costs from cybercrime (down 2% from 2010). Costs associated with disruption to business or lost productivity account for 28% of external costs (up 6% from 2010).
The study found that recovery and detection are the most costly internal activities resulting from cybercrime, highlighting a cost-reduction opportunity for organizations that are able to automate detection and recovery through security technologies, such as security information and event management (SIEM) products, the report noted.
Based on the number of enterprise seats, the report determined that smaller-sized organizations incur a significantly higher per capita cost from cybercrime than larger-sized organizations ($1,088 versus $284).
“Organizational size does matter. The larger organizations on an absolute basis are incurring a larger cost relatively speaking, but when you adjust for the number of enterprise seats, called a per capita analysis, we see that smaller organizations are incurring a much larger per capita cost”, Ponemon noted.
The report also found that the average annualized cost of cybercrime appears to vary by industry segment, where defense, utilities and energy, and financial service companies experience higher costs than organizations in retail, hospitality and consumer products.