The results of the HP Enterprise Security sponsored Ponemon 2014 Global Report on the Cost of Cyber Crime are summarised below.
During the period they conducted interviews and analysed the findings, mega cybercrimes took place. Most notable was the Target cyber breach, which was reported to result in the theft of 40 million payment cards.
More recently, Chinese hackers launched a cyber attack against Canada’s National Research Council as well as commercial entities in Pennsylvania, including Westinghouse Electric Company, U.S. Steel and the United Steel Workers Union. Russian hackers recently stole the largest collection of Internet credentials ever: 1.2 billion user names and passwords, plus 500 million email addresses. While the companies represented in this research did not have cyber attacks as devastating as these were, they did experience incidents that were expensive to resolve and disruptive to their operations.
For purposes of this study, they refer to cyber attacks as criminal activity conducted via the Internet. These attacks can include stealing an organisation’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.
The study’s goal is to quantify the economic impact of cyber attacks and observe cost trends over time. They believe a better understanding of the cost of cybercrime will assist organisations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.
Approximately 10 months of effort is required to recruit companies, build an activity-based cost model to analyse the data, collect source information and complete the analysis.
For consistency purposes, the benchmark sample consists of only larger sized organizations (i.e. more than 1,000 enterprise seats). The study examines the total costs organizations incur when responding to cybercrime incidents. These include the costs to detect, recover, investigate and manage the incident response. Also covered are the costs that result in after-the-fact activities and efforts to contain additional costs from business disruption and the loss of customers. These costs do not include the plethora of expenditures and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.
Global at a glance
This year’s annual study was conducted in the United States, United Kingdom, Germany, Australia, Japan, France and for the first time, the Russian Federation, with a total benchmark sample of 257 organizations. Country-specific results are presented in seven separate reports.
The estimated average cost of cybercrime for seven country samples involving 257 separate companies, with comparison to last year’s country averages. Cost figures are converted into U.S. dollars for comparative purposes.
There is significant variation in total cybercrime costs among participating companies in the benchmark samples. The US sample reports the highest total average cost at $12.7 million and the Russian sample reports the lowest total average cost at $3.3 million. It is also interesting to note that all six countries experienced a net increase in the cost of cybercrime cost over the past year, ranging from 2.7% for Japan to 22.7% for the United Kingdom. The percentage net change between FY 2014 and FY 2013 (excluding Russia) is 10.4%.
Summary of global findings
Following are the most salient findings for a sample of 257 organizations requiring 2,081 separate interviews to gather cybercrime cost results. In several places in this report, they compare the present findings to last year’s average of benchmark studies.
Cybercrimes continue to be on the rise for organizations. They found that the mean annualized cost for 257 benchmarked organizations is $7.6 million per year, with a range from $0.5 million to $61 million per company each year. Last year’s mean cost for 235 benchmarked organizations was $7.2 million. They observe a 10.4% net change from last year (excluding the Russian sample).
Cybercrime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, they determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,601 versus $437).
All industries fall victim to cybercrime, but to different degrees. The average annualized cost of cybercrime appears to vary by industry segment, where organizations in energy & utilities and financial services experience substantially higher cybercrime costs than organizations in media, life sciences and healthcare.
The most costly cybercrimes are those caused by malicious insiders, denial of services and web-based attacks. These account for more than 55% of all cybercrime costs per organization on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions.
Cyber attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organizational cost. Please note that resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected (i.e. modern day attacks).
The average time to contain a cyber attack was 31 days, with an average cost to participating organizations of $639,462 during this 31-day period. This represents a 23% increase from last year’s estimated average cost of $509,665, which was based upon a 27-day remediation period. Results show that malicious insider attacks can take more than 58 days on average to contain.
Business disruption represent the highest external cost, followed by the costs associated with information loss. On an annualized basis, business disruption accounts for 38% of total external costs, which include costs associated with business process failures and lost employee productivity.
Detection is the most costly internal activity followed by recovery. On an annualized basis, detection and recovery costs combined account for 53% of the total internal activity cost with cash outlays and direct labour representing the majority of these costs.
Activities relating to IT security in the network layer receive the highest budget allocation. In contrast, the host layer receives the lowest funding level.
Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber attacks. As a result, these companies enjoyed an average cost savings of $2.6 million when compared to companies not deploying security intelligence technologies.
A strong security posture moderates the cost of cyber attacks. They utilise Ponemon Institute’s proprietary metric called the Security Effectiveness Score (SES) Index to define an organization’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organization is in achieving its security objectives. The average cost to mitigate a cyber attack for organizations with a high SES is substantially lower than organizations with a low SES score.
Companies deploying security intelligence systems experienced a substantially higher ROI (at 23%) than all other technology categories presented. Also significant are the estimated ROI results for companies that extensively deploy encryption technologies (20%) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds (19%).
Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at $1.3 million for employing expert personnel and $1.1 million for achieving certification against industry-leading standards.
In this section, we provide an analysis of the key findings organized according to the following topics:
- The average cost of cybercrime by organizational size and industry
- The type of attack influences the cost of cyber crime
- An analysis of the cost components of cyber crime
The average cost of cybercrime by organizational size and industry
To determine the average cost of cybercrime, the 257 organizations in the study were asked to report what they spent to deal with cybercrimes experienced over four consecutive weeks. Once costs over the four-week period were compiled and validated, these figures were then grossed-up to determine the annualized cost.
The total annualized cost of cybercrime in 2014 ranges from a low of $.56 million to a high of $60.5 million. The median annualized cost of cybercrime in the benchmark sample is $6.0 million, an increase from last year’s median value of $5.5. The mean value is $7.6 million. This is an increase of $357,761 from last year’s mean of $7.2 million. Please note the percentage net change from last year’s mean for six countries is 10.4%.
As can be seen, 86 companies in our sample incurred total costs above the mean value of $7.6 million, thus indicating a skewed distribution. The highest cost estimate of $61 million was determined not to be an outlier based on additional analysis. A total of 171 organizations experienced an annualized total cost of cybercrime below the mean value.
As part of our analysis they calculated a precision interval for the average cost of $7.6 million. The purpose of this interval is to demonstrate that our cost estimates should be thought of as a range of possible outcomes rather than a single point or number.
The range of possible cost estimates widens at increasingly higher levels of confidence. Specifically, at a 90% level of confidence they expect the range of cost to be between $7.2 million to $7.9 million.
Certain attacks are more costly based on organizational size. The study focuses on 9 different attack vectors as the source of the cybercrime. They compare smaller and larger-sized organizations based on the sample median of 8,509 seats. Smaller organizations (below the median) experience a higher proportion of cybercrime costs relating to web-based attacks, viruses, worms, Trojans and other malware.
In contrast, larger organizations (above the median) experience a higher proportion of costs relating to denial of services, malicious code and malicious insiders. In the context of this research, malicious insiders include employees, temporary employees, contractors and, possibly other business partners. They also distinguish viruses from malware. Viruses reside on the endpoint and as yet have not infiltrated the network but malware has infiltrated the network. Malicious code attacks the application layer and includes SQL attack.
The cost of cybercrime impacts all industries. The average annualized cost of cybercrime appears to vary by industry segment. In this year’s study they compare cost averages for 17 different industry sectors. The cost of cybercrime for companies in energy & utilities, financial services and technology experienced the highest annualized cost. In contrast, companies in media, life sciences and healthcare incurred much lower cost on average.
The type of cyber-attack influences the cost of cyber crime
In our studies they look at 9 different attack vectors as the source of the cybercrime. This year, the benchmark sample of 257 organizations experienced 429 discernible cyber-attacks or 1.6 attacks per company each week. The list below shows the number of successful attacks for the past three years, which has steadily increased.
- FY 2014, 429 attacks in 257 organizations or 1.7 successful attacks per company each week
- FY 2013, 343 attacks in 234 organizations or 1.4 successful attacks per company each week
- FY 2012, 262 attacks in 199 organizations or 1.3 successful attacks per company each week
Virtually all organizations had attacks relating to viruses, worms and/or Trojans and malware over the four-week benchmark period. Malware attacks and malicious code attacks are inextricably linked. They classified malware attacks that successfully infiltrated the organizations’ networks or enterprise systems as a malicious code attack.
59% experienced botnets and 58% experienced web-based attacks. Denial of service attacks and stolen devices were experienced by 49% of companies. Only 35% of companies say a malicious insider was the source of the cybercrime.
Costs vary considerably by the type of cyber-attack. The benchmark results for seven countries, showing the proportion of annualized cost of cybercrime allocated to 9 attack types compiled from all benchmarked organizations.
With respect to web-based attacks, the percentage annualized costs seem to be fairly consistent ranging from a low of 13% for Australia to 19% of Japan and Russia. For denial of services, they see a low of 8% for France and a high of 25% for the United Kingdom. In the case of malicious insiders, they see a low of 6% for Germany and a high of 21% for Japan. Finally, the cost of malware has a low of 6% for the US and Japan and a high of 17% of the Russian Federation.
The cost of cybercrime is also influenced by the frequency of attacks. The most to least expensive cyber-attacks when analysed by the frequency of incidents. The most expensive attacks are malicious insiders, denial of service, web-based attacks and malicious code. Malware attacks are most frequently encountered and, hence, represent a relatively low unit cost.
Time to resolve or contain cybercrimes increases the cost. The mean number of days to resolve cyber attacks is 31 with an average cost of $20,758 per day, or a total cost of $639,462 over the 31 day remediation period. This represents a 23% increase from last year’s cost estimate of $509,665 over a 27-day remediation period. Please note that resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected (i.e., modern day attacks).
Some attacks take longer to resolve and as a result are more costly. The time it takes to resolve the consequences of the attack increases the cost of a cybercrime. The analysis reveals that the average days to resolve cyber attacks for 9 different attack types studied in this report. It is clear from this chart that it takes the most amount of time, on average, to resolve attacks from malicious insiders, malicious code and web-based attackers (hackers). Malware, botnets and viruses on average are resolved relatively quickly (i.e., in a few days or less).
An analysis of the cost components of cyber crime
Information theft remains the most expensive consequence of a cybercrime. In this research they look at four primary consequences of a cyber attack: business disruptions, the loss of information, loss of revenue and damage to equipment. Among the organizations represented in this study, business disruption represents the largest cost component (38%). The cost of business disruption includes diminished employee productivity and business process failures than happen after a cyber attack. Information and revenue loss follow at 35% and 22%, respectively.
Companies spend the most on detection and recovery. Cybercrime detection and recovery activities account for 53% of total internal activity cost. This is followed by containment and investigation cost (both at 15%. Detection and recovery cost elements highlight a significant cost-reduction opportunity for organizations that are able to systematically manage recovery and to deploy enabling security technologies to help facilitate the detection process.
The largest portion of the security budget is allocated to the network layer. The network layer receives the highest allocation at 33% of total dedicated IT security funding. At only 7%, the host layer receives the lowest funding level.
The organization’s security posture influences the cost of cybercrime. We measure the security posture of participating organizations as part of the benchmarking process. The annualized cost and regression of companies in descending order of their security effectiveness as measured by the SES.
The figure shows an upward sloping regression, suggesting that companies with a stronger security posture experience a lower overall cost. The SES range of possible scores is +2 (most favourable) to -2 (least favourable). Compiled results for the present benchmark sample vary from a high of +1.90 to a low of -1.7 with an SES mean value at .31.
Organizations deploying security intelligence technologies realize a lower annualized cost of cybercrime. The average amount of money companies can save with SEIM in the 6 activities conducted to resolve the cyber attack. The figure compares companies deploying and not deploying security intelligence systems. In total, 124 companies (48%) deploy security intelligence tools such as SIEM, IPS with reputation feeds, network intelligence systems, big data analytics and others.
With two exceptions (investigative and incident management costs), companies using security intelligence systems experience lower activity costs than companies that do not use these technologies. The largest cost differences in millions pertain to detection ($2.83 vs. $1.63), recovery ($1.77 vs. $1.13) and containment ($1.59 vs. $.94) activities, respectively.
Security intelligence systems have the biggest return on investment. The estimated return on investment (ROI) realized by companies for each one of the 7 categories of enabling security technologies indicated above. At 23%, companies deploying security intelligence systems, on average, experience a substantially higher ROI than all other technology categories in this study.
Also significant are the estimated ROI results for companies that extensively deploy encryption technologies (20%) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds and more (19%). The estimated average ROI for all 7 categories of enabling security technologies is 15%.
Certain governance activities can reduce the cost of cybercrime. The top three governance activities are: certification against industry-leading standards, appointment of a high-level security leader (CISO) and employment of expert security personnel.
Find the full study here.