The cost of a data breach in terms of public confidence and trust in an organization is hard to measure. But if you want to put a figure on the economic cost to an organization for detecting, recovering, investigating and managing the incident response it’s not that difficult.
The average cost of attacks at 257 companies in seven countries in fiscal 2014 (April 2013 to May 2014) was $7.6 million (all figures U.S.) according to a study done for Hewlett-Packard by the Ponemon Institute.
If that’s seems small, it’s because the countries studied ranged from the U.S., Britain, France, Germany, Russia, Australia and Japan. The costs ranged from $500,000 to $61 million.
For the U.S. alone, the average cost was $12.7 million, up from $11.56 million in the same period the year before.
During the 12 month period those 257 organizations experienced 429 cyber attacks, or 1.6 a week, most commonly viruses, worms, Trojans and malware.
The most expensive damage was done by malicious insiders (including partners) — on average $213,500 — followed by denial of service and Web-based attacks.
Common sense says the bigger the company the higher the cost, and the study bore that out. However, looked at from the number of seats in the enterprise, small organizations suffered a higher per employee cost than larger organizations.
The report also notes that organizations that used security intelligent systems were more efficient in detecting and containing cyber attacks, but not eliminating breaches entirely. “Companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cyber crime costs that are lower than companies that have not implemented these practices,” says the report.
The report makes two vital points:
–Cyber attacks can get costly if not resolved quickly. There’s a positive relationship between the time to contain an attack and organizational cost. Resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected.
The average time to contain a cyber attack was 31 days, with an average cost to participating organizations of $639,462 during this 31-day period — That’s up 23 per cent increase from last year’s estimated average cost of $509,665, which was based upon a 27-day remediation
period. Malicious insider attackers can take more than 58 days on average to contain.
–Business disruption represent the highest external cost, followed by the costs associated with information loss. On an annualized basis, business disruption accounts for 38 per cent of total external costs, which include costs associated with business process failures and lost employee productivity.
“The most costly cyber crimes are those caused by malicious insiders, denial of services and web-based attacks,” said the report. These account for more than 55 percent of all cyber crime costs per organization on an annual basis. Mitigation of such attacks requires technologies such as SIE (security information and event management) suites, intrusion prevention systems, applications security testing solutions and enterprise GRC (governance, risk management and compliance) solutions, said the report.
It also found that smaller organizations studied suffered a higher proportion of cyber crime costs relating to Web-based attacks, viruses, works, Trojans and other malware. Larger organizations experienced a higher proportion of costs from denial of service attacks, malicious code and malicious insiders.
Of the incidents studied, energy, utilities and financial services sectors had the highest annualized cost.