According to a Ponemon Institute study released October 2013 titled 2013 Cost of Cyber Crime Study: United States, the costs associated with cybercrime are increasing dramatically. The study, sponsored by HP Enterprise Security, gathered and reviewed data, across a range of industries, from 60 companies with more than 1,000 employees directly connected to the Internet. The data indicates that the average annualized cost borne by these companies due to cybercrime was $11.6 million. This represents a 26% increase from the previous year’s $8.9 million figure.
The rise in costs is directly attributable to the increase of cybercrimes. The surveyed companies were victims of 122 successful attacks per week—a rise from the previous year’s 102 successful attacks, resulting in an 18% increase. Most of the attacks were in the form of viruses, worms, and trojans; malware; botnets; web-based attacks; and distributed denial of service attacks. The most costly were distributed denial of service attacks, insider cybercrimes, and web-based attacks.
The costs associated with remediating the damage from these attacks were both direct and indirect. Direct costs were technology related, including such things as detection, investigation, containment, recovery, and ex-post response (minimizing future attacks). The most devastating costs were the indirect costs related to information loss or theft, business disruption, equipment damage, lost revenue, fines associated with data breaches, and litigation.
Not surprisingly, the study finds that both direct and indirect costs mount as a cybercrime remains undetected or unmitigated. The average time to terminate a cyber attack was 32 days with an average cost of $1,035,769 incurred by the company.
The news is not all bad. The Ponemon study finds that companies can take proactive measures to minimize their cyber risks and thus decrease their losses from cybercrime. First, the use of security intelligence systems such as security information and event management software greatly decreased the time it took to detect an attack, resulting in an average savings of nearly $4 million. Second, companies investing in well-trained cybersecurity experts experienced an average savings of $1.5 million.
Cybercrime is costly and on the rise. Companies failing to invest in adequate security software and hardware, as well as cybersecurity experts, are likely to suffer even greater losses to their business and to their company brand.