It’s that time of the year: the Ponemon Institute just published their 2014 Global Report on the Cost of Cyber Crime. “Our goal is to quantify the economic impact of cyber attacks and observe cost trends over time,” mentioned the report. “We believe a better understanding of the cost of cybercrime will assist organizations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.”
Focus on cyber crime in seven countries
The Ponemon Institute added a new country to this year’s survey list. There are now seven countries: United States, United Kingdom, Germany, Australia, Japan, France, and new this year is the Russian Federation.
The Ponemon Institute focused on the following cybercrimes:
● Stealing an organization’s intellectual property
● Confiscating online bank accounts
● Creating and distributing viruses on other computers
● Posting confidential business information on the internet
● Disrupting a country’s critical national infrastructure
The Ponemon Institute compiled the following costs accrued by a business battling the above cybercrimes:
● Costs to detect, recover, investigate and manage the incident response
● After-the-fact costs such as business disruption and loss of customers
Ponemon researchers visited 257 companies (each having at least 1,000 seats), completing 2,081 interviews with management personnel. There were 1,717 total attacks used to measure costs, and $7.6 million US was the average annualized cost. The report adds: “Approximately 10 months of effort was required to recruit companies, build an activity-based cost model to analyze the data, collect source information and complete the analysis.”
Overall survey findings
The following slide represents the “total cost” of cyber crime for each of the seven countries along with last year’s totals. Cyber crime cost US businesses more in 2014. The amounts are converted into US dollars (000,000) using Wall Street Journal’s August 1, 2014 currency conversion rates.
Ponemon researchers were interested in what percentage of annualized cyber crime costs were allocated to each of the nine attack types. The next slide depicts their finding:
Summary of global findings
In the report the Ponemon researchers came up with following global findings:
Cybercrime increased 10.4% from 2013. There was a 15% average ROI for seven security technologies.
Cybercrime costs varied by organizational size. The researchers divided the company’s annualized cyber-crime cost by the number of seats. The results: smaller organizations had a higher per capita cost. ($1,601 versus $437).
All industries fell victim to cybercrime, but to different degrees. Businesses in the power/utilities industry and financial-service providers had higher cybercrime costs than businesses in media, life sciences, and healthcare.
The most costly cybercrimes were those caused by malicious insiders, denial of services and web-based attacks. These three attack vectors accounted for more than 55 percent of all cybercrime costs per company.
The longer it took to resolve a cyber attack, the more it cost. Not surprising. However, what might be surprising is the average time to contain an attack increased from 23 days to 31 days.
Business disruption represented the highest ancillary cost, followed by costs associated with information loss. The survey looked at four consequences of a cyber attack: business disruption, loss of information, loss of revenue, and damage to equipment. Business disruption led with 38 percent of the annualized costs. Loss of information was second with 35 percent.
Detection was the most costly internal activity followed by recovery. On an annualized basis, detection and recovery costs together accounted for 53 percent of the total internal activity costs.
Deployment of security intelligence systems made a difference. Using security-intelligence systems (including SIEM) afforded significant cost savings because companies could detect cyber attacks sooner, and contain the cyber crime faster. Average savings were 2.6 million dollars.
Deployment of enterprise security governance practices moderated the cost of cybercrime. The survey concluded that companies investing in staff with security experience had lower cybercrime costs. The report mentioned, “Cost savings for companies deploying good security governance practices is estimated at $1.3 million for employing expert personnel and $1.1 million for achieving certification against industry-leading standards.