The results of the Ponemon 2012 Cost of Cyber Crime Study for the United States, United Kingdom, Germany, Australia and Japan. For the purposes of this post I have summarised the United States and the United Kingdom.

The study, sponsored by HP Enterprise Security, focused on organizations located in the United States and the United Kingdom many are multinational corporations.

Cyber-attacks generally refer to criminal activity conducted via the Internet. These attacks can include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure. Consistent with the previous two studies, the loss or misuse of information is the most significant consequence of a cyber-attack. Based on these findings, organizations need to be more vigilant in protecting their most sensitive and confidential information. 

  • The median annualised cost for 38 UK benchmarked organisations is £2.1 million per year, with a range from £.4 million to £7.7 million each year per company.
  • The median annualized cost for 56 US benchmarked organizations is $8.9 million per year, with a range from $1.4 million to $46 million each year per company. 

UK Summary

Cybercrimes are costly. The study found that the median annualised cost for 38 benchmarked organisations is £2.1 million per year, with a range from £.4 million to £7.7 million each year per company. 

Cybercrime cost varies by organisational size. Results reveal a positive relationship between organisational size (as measured by enterprise seats) and annualised cost. However, based on enterprise seats, Ponemon determined that smaller-sized organisations incur a significantly higher per capita cost than larger-sized organisations (£399 versus £89). 

All industries fall victim to cybercrime, but to different degrees. The average annualised cost of cybercrime appears to vary by industry segment, where defence, utilities and energy and financial service companies experience higher costs than organisations in hospitality, retail and education. 

Cybercrimes are intrusive and common occurrences. The companies participating in our study experienced 41 successful attacks per week, or about 1.1 successful attacks per organisation. 

The most costly cybercrimes are those caused by malicious insider, denial of service and malicious code. These account for more than 44% of all cybercrime costs per organisation on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing solutions and enterprise GRC solutions. 

Cyber-attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organisational cost. The average time to resolve a cyber-attack was 24 days, with an average cost to participating organisations of £135,744 over this 24-day period. Results show that malicious insider attacks can take more than 50 days on average to contain. 

Disruption to business processes and revenue losses represent the highest external costs. This is followed by theft of information assets. On an annualised basis, disruption to business or lost productivity account for 38% of external costs. Costs associated with revenue losses and theft of information assets represents 53% of external costs. 

Recovery and detection are the most costly internal activities. On an annualised basis, recovery and detection combined account for 55% of the total internal activity cost with cash outlays and labour representing the majority of these costs. 

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber-attacks. As a result, these companies enjoyed an average cost savings of £.4 million when compared to companies not deploying security intelligence technologies. 

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that have adequate resources, appoint a high-level security leader, and employ certified or expert staff experience cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at more than £.3 million, on average. 

A strong security posture moderates the cost of cyber-attacks. Ponemon utilize a well-known metric called the Security Effectiveness Score (SES) to define an organisation’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organisation is in achieving its security objectives. The average cost to mitigate a cyber-attack for organisations with a high SES is substantially lower than organisations with a low SES score.

Summary of US findings

Cybercrimes continue to be very costly for organizations. Ponemon found that the median annualized cost for 56 benchmarked organizations is $8.9 million per year, with a range from $1.4 million to $46 million each year per company. Last year’s median cost per benchmarked organization was $8.4 million. Ponemon observe a $500,000 (6%) increase in median values. 

Cybercrime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, Ponemon determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,324 versus $305). 

All industries fall victim to cybercrime, but to different degrees. The average annualized cost of cybercrime appears to vary by industry segment, where defence, utilities and energy and financial service companies experience higher costs than organizations in retail, hospitality and consumer products. 

Cybercrimes are intrusive and common occurrences. The companies participating in our study experienced 102 successful attacks per week – or 1.8 successful attacks per organization. In last year’s study, an average of 72 successful attacks occurred per week. 

The most costly cybercrimes are those caused by denial of service, malicious insider and web-based attacks. This account for more than 58% of all cybercrime costs per organization on an annual basis.4 Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions. 

Cyber-attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organizational cost. The average time to resolve a cyber-attack was 24 days, with an average cost to participating organizations of $591,780 during this 24-day period. This represents a 42% increase from last year’s estimated average cost of $415,748, which was based upon an 18-day resolution period. Results show that malicious insider attacks can take more than 50 days on average to contain. 

Information theft continues to represent the highest external cost, followed by the costs associated with business disruption. On an annualized basis, information theft accounts for 44% of total external costs (up 4% from 2011). Costs associated with disruption to business or lost productivity account for 30% of external costs (up 1% from 2011). 

Recovery and detection are the most costly internal activities. On an annualized basis, recovery and detection combined account for 47% of the total internal activity cost with cash outlays and labour representing the majority of these costs. 

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber-attacks. As a result, these companies enjoyed an average cost savings of $1.6 million when compared to companies not deploying security intelligence technologies. 

A strong security posture moderates the cost of cyber-attacks. Ponemon utilize a well-known metric called the Security Effectiveness Score (SES) to define an organization’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organization is in achieving its security objectives. The average cost to mitigate a cyber-attack for organizations with a high SES is substantially lower than organizations with a low SES score. 

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at more than $1 million, on average. 

UK report is here – registration is required. 

US report is here  – registration is required.

.

Advertisements