- With the cost of cyber crime going up along with the amount of time it takes to contain an attack, organizations should rethink their security spending priorities to focus more on incident detection and response.
- Assessing your security posture and making appropriate adjustments can help lower cyber crime costs.
The 2014 Global Cost of Cyber Crime Report came out this week, and the news is not good. But that shouldn’t be a surprise, given that about once a week now there is yet another headline announcing the latest big breach. And they seem to get bigger: 40 million customers affected in the Target breach in late 2013, 56 million in the Home Depot breach in mid-2014. The study, conducted by Ponemon Institute and sponsored by HP Enterprise Security, found that the annual cost of cybercrime increased nearly 100% over the five years it has been conducted. The study looked at 257 large companies (with 1,000 or more endpoints) in seven countries, and it found that the average annual cost of a breach is $7.6 million, with a range of between $0.5 million up to $60.5 million. But what’s interesting is that the cost of cybercrime is higher for U.S. companies. A benchmark sample of U.S. companies found that the average cost per organization now stands at $12.7 million. Russian companies were added to the study this year, and they incurred the least cost – $3.3 million on average.
So what’s the rest of the bad news? The number of successful attacks per year per company increased 144% from 2010 to 2014, from 50 up to 122. The average number of successful attacks per company per week rose to 1.7. The average cost to resolve a single attack rose 9% from $1.1 million in 2013 to $1.6 million in 2014. And the time it takes to contain a cyber attack is now 31 days, although that varies by attack method. It can take an average of 58 days to contain an attack carried out by a malicious insider. This finding highlights the need for organizations to increase their focus on incident response.
There are several key takeaways from the study that help shed light on how organizations prioritize their security spending. First, the longer it takes to contain a successful attack, the more costly it is. Too many organizations have taken a myopic view of incident response and containment, although that is starting to change. In addition, organizations with a better security posture experience lower overall costs for cyber crime. Investing time and money into assessing your company’s security posture and taking the necessary steps to strengthen it could ultimately lead to cost savings. The study also suggests that organizations that deploy security intelligence technologies (aka SIEM systems) also have lower annual cyber crime costs. Of course this is self-serving for study sponsor HP, given its dominant position in that market segment. But the more you know about your attackers and their methods, the more effectively you can protect your organization. SIEM systems can help with that, but there are also other technologies and threat information sharing services that can help you gain that knowledge.