The Second Annual Cost of Cyber Crime Study, sponsored by ArcSight, an HP company, is based on a representative sample of 50 organizations in various industry sectors. While the research focused on organizations located in the United States, many are multinational corporations. For consistency purposes, the benchmark sample consists of only larger-sized organizations (i.e., more than 700 enterprise seats).
Despite widespread awareness of the impact of cyber crime, cyber attacks continue to occur frequently and result in serious financial consequences for businesses and government institutions. Key takeaways from this report include:
- Cyber crimes can do serious harm to an organization’s bottom line. The study found that the median annualized cost of cyber crime for the organizations in the study is $5.9 million per year, with a range of $1.5 million to $36.5 million each year per company. This represents an increase in median cost of 56 percent from the first cyber cost study published last year.
- Cyber attacks have become common occurrences. The companies in the study experienced 72 successful attacks per week and more than one successful attack per company per week. This represents an increase of 44 percent from last year’s successful attack experience.
- The most costly cyber crimes are those caused by malicious code, denial of service, stolen devices and Web-based attacks. Mitigation of such attacks requires enabling technologies such as SIEM and enterprise governance, risk management and compliance (GRC) solutions.
Similar to last year, the purpose of this benchmark research is to quantify the economic impact of cyber attacks and observe cost trends over time. ArcSight believes that a better understanding of the cost of cyber crime will assist organizations in determining the appropriate amount of investment and resources needed to prevent or mitigate the devastating consequences of an attack.
Click through for results from a survey on the cost of cyber attacks, sponsored by ArcSight, an HP company, and conducted by the Ponemon Institute.
Cyber crimes continue to be very costly for organizations. ArcSight found that the median annualized cost for 50 benchmarked organizations is $5.9 million per year, with a range from $1.5 million to $36.5 million each year per company. Last year’s median cost per benchmarked organization was $3.8 million. Thus, they observed a $2.1 million (56 percent) increase in median values.
Cyber crime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, ArcSight determined that smaller-sized organizations incur a significantly higher per capita cost than larger-sized organizations ($1,088 versus $284).
Cyber crimes are intrusive and common occurrences. The companies participating in the study experienced 72 successful attacks per week – or more than 1.4 successful attacks per organization. When compared to last year’s study, this represents a 44 percent increase in successful attacks experienced by organizations.
The most costly cyber crimes are those caused by malicious code, denial of service, stolen or hijacked devices and malicious insiders. These account for more than 90 percent of all cyber crime costs per organization on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM and enterprise GRC solutions.
Cyber attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organizational cost. The average time to resolve a cyber attack is 18 days, with an average cost to participating organizations of $415,748 over this 18 day period. This represents a 67 percent increase from last year’s estimated average cost of $247,744, which is compiled for a 14 day period. Results show that malicious insider attacks can take more than 45 days on average to contain.
Information theft continues to represent the highest external cost, followed by the costs associated with business disruption. On an annualized basis, information theft accounts for 40 percent of total external costs (down two percent from 2010). Costs associated with disruption to business or lost productivity account for 28 percent of external costs (up six percent from 2010). Recovery and detection are the most costly internal activities. On an annualized basis, recovery and detection combined account for 45 percent of the total internal activity cost with cash outlays and labor representing the majority of these costs.
Enterprise deployment of SIEM makes a difference. The cost of cyber crime is moderated by the use of SIEM technologies. ArcSight found a percentage cost difference between SIEM and non-SIEM companies of 24 percent. Findings suggest companies using SIEM were better able to quickly detect and contain cyber crimes than those companies not using SIEM. As a result, SIEM companies experienced a substantially lower cost of recovery, detection and containment than non-SIEM companies. In addition, SIEM companies were more likely to recognize the existence of advance persistent threats (APTs) than non-SIEM companies.
All industries fall victim to cyber crime, but to different degrees. The average annualized cost of cyber crime appears to vary by industry segment, where defense, utilities and energy, and financial service companies experience higher costs than organizations in retail, hospitality and consumer products.
A strong security posture moderates the cost of cyber attacks. ArcSight utilized a well-known metric called the Security Effectiveness Score (SES) to define an organization’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organization is in achieving its security objectives. The average cost to mitigate a cyber attack for organizations with a high SES is substantially lower than organizations with a low SES score.
Enterprise deployment of GRC practices moderates the cost of cyber crime. Findings suggest companies that have implemented GRC practices experience a lower cost of cyber crime than those that have not implemented these practices. Specifically, the percentage average cost of cyber crime for GRC companies is 38 percent higher than non-GRC companies.