The costs that organizations incur as a result of cyber crime has gone up, and so has the time it takes to resolve those attacks, according to a recent study.
Conducted by the Ponemon Institute and sponsored by HP Enterprise Security Products, "2013 Cost of Cyber Crime Study" reveals that the average cost incurred by organizations victimized by cyber crime over a 10-month period is $11.56 million. That marks a 78 percent increase since the study was first completed four years ago.
Of the 60 U.S. organizations interviewed for this year's report, total cyber crime costs ranged between $1.3 million and $58 million, with the average cost to resolve a single incident falling in at just over $1 million – as opposed to just under $600,000 in 2012.
“We just looked at serious attacks that infiltrate systems,” Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazine.com on Monday. Organizations experienced an average 122 attacks per week, he said. "That's a high number. That can morph into big problem.”
But, it is not all bad news. “On the positive side, we see that you can do something about it," Ponemon said. "Companies that have good policies, exercise good controls and use security intelligence tools, reduce the costs. If you're worried about cost, one way to reduce it would be to have the right mix of people and technology.”
For Ponemon, the name of the game is security posture. “Companies that have stronger posture incur a lower cost of cyber crime," Ponemon said. "The reason is that the most costly part is containing the breach, stopping the problem and remediation." He added that companies that have their acts together may not prevent attacks, but do a more effective job when their systems are infiltrated.
Ponemon also addressed the importance of security training for employees, particularly simulated drills that prepare staff to respond to attacks as they are detected.
Meanwhile, increasingly sophisticated attacks – including denial-of-service, malicious insider, and web-based incursions, such as zero-day vulnerabilities – have caused the average time it takes to resolve a cyber crime to shoot up 130 percent in four years, which translates this year to about 32 days before a full recovery, eight days more than in 2012.
One type of attack that throws a wrench in the spokes from a research perspective is the advanced persistent threat (APT), said Ponemon. He explained that organizations sometimes believe they have resolved a threat, when in actuality, it has gone into a dormant phase and shows up again unexpectedly sometime down the line.
When it comes to what is hiking up the cost of cyber crime, Ponemon pointed out that companies view information leakage as the most significant and costly, followed by business disruption and loss of productivity.
“In the study, where there was a $58 million loss, it was a data loss,” Ponemon said. “It was information on a new product for the company." The companies believe that once data is extricated, the value of its product is lost, he added.
Ponemon said that in the short-term, things will get worse before they get better – primarily because the bad guys are highly intelligent and because technology is advancing rapidly.
This year, Ponemon also conducted studies in the United Kingdom, Germany, Australia, Japan and France. The average cost of cyber crime incurred by organizations in the U.S. toppled the runner-up, Germany, by $4 million. Australia was at the bottom, with $3.67 million incurred.