HP has unveiled the results from its fifth annual study in partnership with the Ponemon Institute detailing the rising cost, frequency and time to resolve cyber-attacks.
Conducted by the Ponemon Institute and sponsored by HP Enterprise Security, the 2014 Cost of Cyber Crime Study found the average annualised cost of cybercrime incurred by a benchmark sample of US organisations was $12,7-million, representing a 96% increase since the study was initiated five years ago.
The results also revealed the time it takes to resolve a cyber-attack has increased by 33% during this same period, with the average cost incurred to resolve a single attack totalling more than $1,6-million.
During the study period, significant cybercrimes occurred in the US involving the theft of millions of payment cards, Internet credentials, intellectual property and online bank accounts.
According to the 2014 Cost of Cyber Crime Study, advanced security intelligence tools such as Security Information and Event Management (SIEM) solutions, Intrusion Prevention Systems (IPS) with reputation feeds, network intelligence systems and big data analytics help organisations detect and contain cyber-attacks resulting in significant reductions in the annualised cost of cybercrime.
“Adversaries only need to be successful once to gain access to your data, while their targets must be successful every time to stop the barrage of attacks their organisations face each day,” says Art Gilliland, senior vice-president and GM: Enterprise Security Products at HP.
“No amount of investment can completely protect organisations from highly sophisticated cyber-attacks, but improving and prioritising your organisation’s ability to disrupt the adversary with actionable intelligence solutions such as SIEM, can significantly improve attack containment and reduce the overall financial impact.”
Key findings from the 2014 Cost of Cyber Crime Study include:
- Cyber crimes continue to be very costly: The average annualised cost of cybercrime incurred was $12,7-million, with a range of $1,6-million to $61-million; an increase of 9% or $1,1-million over the average cost reported in 2013.
- Cyber crimes are intrusive and common: Organisations experienced a 176% increase in the number of cyber attacks, with an average of 138 successful attacks per week, compared to 50 attacks per week when the study was initially conducted in 2010.
- Cyber crimes require more time to resolve:The average time to detect a malicious or criminal attack by a global study sample of organisations was 170 days. The longest average time segmented by type of attack was 259 days, and involved incidents concerning malicious insiders. The average time to resolve a cyber attack once detected was 45 days, while the average cost incurred during this period was $1,593,627 – representing a 33% increase over last year’s estimated average cost of $1,035,769 for a 32-day period.
- Cyber crimes impact all industries:Of the 17 industries included in the study, all reported to have been impacted by cyber crime, and in the US, the highest annual cost per organisation was reported in the Energy & Utilities and Defense industries. The average annualised cost per company in the Energy & Utilities, Technology and Retail sectors rose most significantly in the US when compared to average annualised cost over the five years the study has been published. The retail sector alone has more than doubled when compared to average cost over the five year period.
The most costly cyber crimes are those caused by denial of services, malicious insiders and malicious code. These account for more than 55% of all cyber crime costs per organisation on an annual basis.
Information theft continues to represent the highest external cost, followed by the costs associated with business disruption. On an annual basis, information theft accounts for 40% of total external costs (down 2% from the five-year average), while costs associated with disruption to business or lost productivity account for 38% of external costs (up 7% from the five-year average).
Recovery and detection are the most costly internal activities, accounting for 49% of the total annual internal activity cost with cash outlays and direct labour representing the majority of these costs.
Organisations using security intelligence technologies were more efficient in detecting and containing cyber attacks. For those having deployed a SIEM solution, the average cost savings was $5,3-million per year, a 32% increase in savings from last year. Organisations with technologies such as an Intrusion Prevention System (IPS) and Next-generation Firewall (NGFW) boasted a 15% ROI result.
“Business disruption, information loss and the time it takes to detect a breach collectively represented the highest cost to organisations experiencing a breach,” says Dr Larry Ponemon, chairman and founder, Ponemon Institute. “Based on more than 2,000 interviews, the annual Cost of Cyber Crime research continues to provide valuable insights into the rising cost of cyber attacks to help organisations across all industries understand the serious financial impact that can result if measures are not taken to put solutions, process and expertise in place to minimise risk.”