Conducted by the Ponemon Institute, the second annual Cost of Cyber Crime study1 reveals that the median annualised cost of cyber crime incurred by a benchmark sample of organisations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organisation.
This represents an increase of 56% from the median cost reported in the inaugural study published in July last year.
The 2011 study finds that recovery and detection are the most costly internal activities, highlighting a significant cost reduction opportunity for organisations able to automate detection and recovery through enabling security technologies.
“Instances of cyber crime have continued to increase in both frequency and sophistication, with the potential impact to an organisation’s financial health becoming more substantial,” explained Tom Reilly, vice-president and general manager for enterprise security at Hewlett-Packard.
“Organisations in the most targeted industries are reducing the impact by leveraging security and risk management technologies,” he continued, “which is grounds for optimism in what continues to be a fierce fight against cybercrime.”
72 successful cyber attacks per week
Cyber attacks, of course, have become common occurrences. Over a four-week period, the organisations surveyed experienced 72 successful attacks per week (an increase of nearly 45% from last year).
More than 90% of all cyber crime costs were caused by malicious code, denial of service, stolen devices and web-based attacks.
One of many benefits resulting from the Cost of Cyber Crime study is that it provides a valuable insight into the level of investment and resources needed to prevent or mitigate the consequences of a cyber attack.
This time around, there are a couple of key findings. First, cyber attacks can be costly if not resolved quickly. The average time taken to resolve a cyber attack is 18 days, with an average cost to participating organisations of nearly $416,000.
This represents a nigh on 70% increase from the estimated cost of $250,000 over a 14-day resolution period in last year’s study.
Results also showed that malicious insider attacks can take more than 45 days to contain.
Second, deploying advanced security intelligence and risk management solutions can mitigate the impact of cyber attacks. Organisations that had deployed security information and event management (SIEM) solutions realised cost savings of nearly 25% resulting from an enhanced ability to quickly detect and contain cybercrimes.
As a result, these organisations experienced a substantially lower cost of recovery, detection and containment than those organisations that had not deployed SIEM solutions.
Economic consequences also on the rise
“As the sophistication and frequency of cyber attacks increases, so too will the economic consequences,” explained Dr Larry Ponemon, chairman and founder of the Ponemon Institute.
“Figuring out how much to invest in security starts with understanding the real cost of cyber crime.”
As a company, Hewlett-Packard enables risk management through the Security Intelligence and Risk Management Framework which helps businesses and Governments in their pursuit of an Instant-On Enterprise.
In a world of continuous connectivity, the Instant-On Enterprise embeds technology in everything it does to serve customers, employees, partners and citizens with whatever they need on an instant basis.
Global IT association ISACA commends the Ponemon Institute’s latest Cost of Cybercrime report for the detail it provides on the indirect costs of IT security attacks, as well as the news that organisations are focusing more resources on their security forensics and detection methodologies.
According to the Ponemon report, early detection security technologies can help reduce costs if they are deployed properly and monitored.
“More than anything, this strengthens our ongoing commitment at ISACA to educate business professionals on the need for security planning and, by implication, enterprise governance of IT,” said Rolf von Roessing CISA CISM CGEIT, a member of ISACA’s COBIT Security Task Force.
“With nearly 100,000 members, our not-for-profit information security, assurance and governance association is well placed to provide the education that is required to improve the governance, risk management and compliance requirements that this report identifies as being central to countering the costly problem of cyber crime,” he added.
Issues central to ISACA’s strategy
von Roessing went on to say that these issues are central to ISACA’s strategy with its globally respected COBIT framework, Version 5 of which is available for public exposure through 18 September (www.isaca.org/cobit5exposure).
COBIT, he explained, is a supporting tool set that allows managers to bridge the gap among control requirements, value creation, technical issues and business risks in their organisation.
Part of the framework’s benefits, said von Roessing, is that it delivers the most up-to-date thinking in enterprise governance and security management.
Enterprises of all sizes around the world have implemented COBIT to help manage their IT-related risks and increase their levels of confidence in the information.
“COBIT supports the development of clear policies and good practice for management, as well as increasing the value they achieve from their IT and compliance,” explained von Roessing, before adding that the just-issued Ponemon report confirms the need for networking intelligence, security event management, governance, risk management and compliance.
At the same time, the report identifies the downward pressure on costs associated with these vital security activities in the enterprise environment. This is where the COBIT advantage enters the frame, since it allows management to plan and deploy their security systems and technologies in the most effective manner possible.
According to von Roessing, any organisation can throw unlimited money and resources at a problem and potentially lose a lot. However, deploying effective information security with a reasonable cost-benefit ratio requires more than that: planning and, by implication, effective governance and risk management.
“COBIT can greatly assist in this regard. It has built tremendous credibility through the collaborative development process that brings together the talents and expertise of security industry leaders around the world,” he said.
“COBIT 5 will build and expand on COBIT 4.1 by connecting with other major frameworks, standards and resources, and integrating other ISACA guidance – including Val IT, Risk IT, the IT Assurance Framework and the Business Model for Information Security (BMIS) – into one cohesive and comprehensive picture,” he added.
“It will help enterprises ensure they can have trust in, and obtain value from, their information systems.”
Additional details are available at www.arcsight.com/webinars/watch/2nd-annual-cost-of-cyber-crime-findings/ (see below for a dedicated web link)
1The study reflects the results of interviews with a representative sample of data protection and IT security practitioners from 50 benchmark corporations across various industry sectors
