Security Experts:

Cybercrime Costs Jump for Enterprises as Attackers Circle

Crime may not always pay, but it is always costly.

At least that is the case for companies in the U.S., according to a new HP-commissioned report from the Ponemon Institute. In an analysis of attacks impacting 56 sample companies during the first seven months of the year, researchers discovered the financial impact of cyber attacks has increased nearly 40 percent since 2010.

"We found that the average annualized cost of cyber crime for 56 organizations in our study is $8.9 million per year, with a range of $1.4 million to $46 million," the authors wrote in the report. In 2011, the average annualized cost was $8.4 million. This represents an increase in cost of 6 percent or $500,000 from the results of our cyber cost study published last year."

The cost of cybercrime in the United States was the higher than Japan, Germany, Australia and the United Kingdom. This may in part be due to companies in the U.S. and Germany – which has the second highest cost – reporting higher levels of data loss as a result of attacks when compared to the other countries.  

The study also revealed a 44 percent increase in the number of cyber attacks, with organizations experiencing an average of 102 successful attacks per week compared to 72 attacks a week in 2011 and 50 per week in 2010.

“There is no question that organizations must elevate their ability to proactively detect and combat cyber crime or increasingly spend time, money and energy responding to attacks,” said Michael Callahan, HP's vice president of worldwide product and solution marketing, Enterprise Security Products, in a statement. “This study provides significant evidence to show that the deployment of advanced security intelligence solutions substantially help to reduce the cost, frequency and impact of these attacks.”

The most costly cybercrimes continue to be those caused by malware, denial of service (DoS), stolen or hijacked devices and malicious insiders. All together, these factors combined account for more than 90 percent of cybercrime costs per organization annually.  

"Attacks that involved insiders (employees, contractors and others) were the most expensive in our study," Dr. Larry Ponemon, chairman of the Ponemon Institute, told SecurityWeek. "In general, these costs are associated with higher detection, investigation (including forensics) and remediation activities when compared to other attacks. Secondly, the time to resolve an incident involving malicious insiders took much longer than other cyber crimes." 

Not surprisingly, the longer it takes to resolve a cyber attack, the more it costs. The average time to resolve a cyber attack is 24 days, with an average cost of $24,475 per day. Attacks involving malicious insiders take the longest to resolve, with organizations taking an average of 57 days to resolve them.

"In the context of our study," Ponemon said, "resolution means all aspects or artifacts of the attack were removed from infected devices, applications and enterprise systems. This includes data hygiene activities necessary to restore information contaminated by the attack. (It) does not include reputation-related damages."

While recovery and detection remain the most costly internal activities associated with cybercrime, information theft and business disruption also continued to be the highest areas of external costs. On an annual basis, information theft accounts for 44 percent of total external costs, an increase of four percent in 2011.

"Business disruption includes partial downtime that prevented employees/end-users from accessing certain applications such as corporate email," Ponemon said. "Costs also include well as tech time dedicated to fixing/restoring the system. Security intelligence and Anti DDNS (denial of service) tools appear to be very helpful in pinpointing and mitigating attacks against corporate systems."