A big challenge when attempting to drum up support for investments in information security is demonstrating the cost of data breaches and other cybercrimes. But because very few cyber-attack victims have revealed the costs involved, sizing up the potential financial impact is tough. And that can make it difficult to justify a hefty security investment.
But a just-issued study on cybercrime by the Ponemon Institute provides a window into the cost of cybercrime. For the fourth year in a row, Ponemon conducted interviews with 60 large U.S. companies in various business sectors. The latest study finds that the net average annualized cost of cybercrime rose 26 percent this year to $11.6 million per company.
Many attacks are subtle, stealthy and probably will beat your system.
Cyber-attacks are becoming more common, with the 60 companies averaging a combined total of 122 successful attacks per week in 2013, up 18 percent from 2012. The Ponemon Institute defines a successful attack as one that results in the infiltration of a company's core network or enterprise system.
Why Are Costs Up?
I asked Larry Ponemon, chairman and founder of the research institute, why cybercrime costs are rising so rapidly. In addition to the increase in the number of attacks, he says, a key reason for the increase in annual cybercrime costs for these companies is likely the increased sophistication of the attacks, which leads to higher mitigation and investigation costs. In particular, advanced persistent threats "are very hard to contain," he says.
These days, more companies are conducting forensic investigations, he adds. "We see companies expending lots of resources to try to understand these attacks. The world is awakening to this as a real problem."
The interviews with the 60 companies quantified the direct, indirect and opportunity costs that resulted from the loss or theft of information, disruption to business operations, revenue loss and destruction of property, plant and equipment. In addition, the analysis attempted to capture the total cost spent on detection, investigation, incident response, containment recovery and after-the-fact response.
Among the most costly cybercrimes are those caused by distributed-denial-of-service attacks, malicious insiders and web-based attacks, according to the study, sponsored by HP Enterprise Security. These three types of attacks account for more than 55 percent of all cybercrime costs for the surveyed organizations.
Ponemon also surveyed companies in Australia, Britain, France, Germany and Japan to compare cybercrime costs globally. The cost to U.S. companies is far greater than those based in the other five countries.
Bringing Down Costs
So what can be done to bring down the financial impact of cybercrime? Ponemon argues that improved breach detection is as important as breach prevention. "Many attacks are subtle, stealthy and probably will beat your system," he contends. "Make sure your [detection systems] allow you to recognize an attack quickly."
Quick detection means quicker remediation, and lower costs, he argues.
The survey shows that organizations with good security governance practices generally have lower costs. Those practices include investing in adequate security resources, appointing a high-level security leader and employing certified staff.
Even if you don't buy into the Ponemon Institute's estimates on cybercrime costs, you'll discover that the study provides a useful look at all the potential cost factors involved. The study paints a clear picture of why information security needs to be a higher priority for more organizations. Monitoring what's happening on your networks using the right tools certainly will yield cost-avoidance benefits.