The Ponemon Institute’s recently released “Second Annual Cost of Cyber Crime Study” confirms what many of us might suspect from the endlessly grim headlines these days; data breaches have become a more frequent and damaging hazard of business. The study, sponsored by ArcSight, set out to quantify the financial toll from cyber attacks and assess the full impact of those costs over time, with the purpose of helping businesses better understand the level of resources needed to prevent or mitigate future attacks.
The cyber crime study arrived at several key conclusions:
- Cyber crimes can decimate bottom lines. The study showed that cyber crime costs organizations an average of $5.9 million per year, with a range of $1.5 million to $36.5 million each year per company. This represents a 56% increase in average cost from the first cyber crime study published last year.
- Cyber attacks have become common. The companies in the study experienced 72 successful attacks per week and more than one successful attack per company per week. This represents an increase of 44% from last year’s successful attack experience.
- The most costly cyber crimes are those caused by malicious code, denial of service, stolen devices and Web-based attacks. These account for more than 90% of all cyber crime costs per organization each year.
- Cyber crime cost varies by organizational size. Smaller-sized organizations incur a significantly higher per capita cost than larger-sized organizations ($1,088 versus $284).
- Cyber attacks cost more if not resolved quickly. The average time to resolve a cyber attack is 18 days, with an average cost of $415,748 over this 18-day period. This represents a 67% increase from last year’s estimated average cost of $247,744, which was compiled for a 14-day period. Malicious insider attacks can take more than 45 days on average to contain.
- Information theft continues to represent the highest external costs of cyber crime, followed by the costs associated with business disruption. Information theft accounts for 40% of total external costs per year (down 2% from 2010). Costs associated with disruption to business or lost productivity account for 28% of external costs (up 6% from 2010). Recovery and detection are the most costly internal activities, accounting for 45% of the total internal activity cost, with cash outlays and labor representing the majority of these costs.
- All industries fall victim to cyber crime, but to different degrees. The average cost of cyber crime appears to vary by industry segment, where defense, utilities and energy, and financial service companies experience higher costs per year than organizations in retail, hospitality and consumer products.
One of the more hopeful takeaways from the study indicates that strong security measures do mitigate the cost of cyber attacks, creating one more reason to institute a data breach plan and back it up with robust resources for protection.