There are, arguably, four things one can depend on: Life, death, taxes and the increasing cost to organizations of cyber crime.
So it comes as little surprise that this year’s Ponemon Institute cost of IT security report found the average cost of defending and containing cyber attacks at 252 large organizations studied in five countries, including the U.S., had gone up 1.9 per cent to $7.7 million (all figures U.S.) this year compared to 2014. At least one organization in the study spent $65 million.
However, in the U.S. alone the cost at 58 responding companies jumped 19 per cent to $15 million, which institute chairman Larry Ponemon admitted caught him off guard.
“Unfortunately the number are moving in the wrong direction,” he said in an interview
The study, underwritten by Hewlett-Packard Co, also revealed that of over 200 companies studied in the U.S., Germany, Japan, Russia and Australia, the average time to resolve a cyber attack – 46 days – has increased by nearly 30 per cent over the last six years. “That’s a bad fact,” Ponemon said.
Earlier this year Ponemon figured the average cost of a breach in Canada was just over CDN $5.3 million.
On average respondents faced 166 attacks a week this year among responding organizations, compared to 50 a week in 2010.
The average cost in six countries (including Brazil) of cyber defence in 2015 was more than $1.9 million.
That’s a concern, Ponemon noted, because the longer it takes to resolve the more costly an attack is. He suspects it shows attackers are getting more sophisticated.
(Organizations from Brazil were included in this study for the first time, but aren’t counted in some figures because they couldn’t be compared to previous reports).
These are average numbers, so the cost per organization ranged widely. While the report didn’t name companies studied, it is known that Home Depot recently acknowledged it has spent $232 million so far to fix its systems and cover damages from a 2014 breach, with more damages possible from lawsuits yet to be heard.
Which raises the question of whether studies on the cost of a data breach mean anything to boards, who approve CISO budgets.
“They don’t,” says Curtis Levinson, an IT security consultant and the U.S. advisor to NATO on cyber security, as long as stock prices aren’t affected.
“Home Depot spent approximately (US) $425 million cleaning up after their data breach,” he said in an interview last week, “but the key indicator is stock price — shareholder value. If you look at public organizations, when there is a data breach you’ll see their stock price will dip, but the question is how far and for how long. If it’s a week or two and them it rebounds it becomes a non-issue. Data breaches do no necessarily affect shareholder value.”
“Data breaches generally do not cause investors to dump their stocks because they know in a week or two or three it’ll be over — it’ll be business as usual.” so priority at the board sinks
Similarly, he agreed with a suggestion that so far most consumers don’t abandon their loyalty to an organization because there’s been one data breach. Home Depot, for example, is still going strong.
That’s in part because consumers don’t bear the cost of charges on their credit cards that have been stolen, Levinson said.
For his part Larry Ponemon says he knows reports like this are used by boards and senior executives because they don’t know what breaches costs — and because in the U.S. directors are worried about their liability. “That in of itself may be helpful,” he said. And, he added, the number can help an organization benchmark itself against others.
But he also said he doesn’t disagree that boards of retail organizations so far have shrugged off the cost of breaches because customers keep spending.
To gather the statistics Ponemon researchers interviewed 2,100 people from 252 organizations with more than 1,000 staff over 11 months.
Spending counted include the cost to detect, recover, investigate and manage the incident response, as well as efforts to contain additional costs from business disruption and the loss of customers.
“We believe a better understanding of the cost of cyber crime will assist organizations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack,” the report says.
The cost of cyber crime is moderated by the use of security intelligence systems, the study also concluded. Companies using security intelligence technologies were more efficient in detecting and containing cyber attacks, it said. As a result, these companies enjoyed an average cost savings of $1.9 million per incident when compared to companies not deploying security intelligence technologies.
“Findings show companies that invest in adequate resources, employ certified or expert staff and appoint a high-level security leader have cyber crime costs that are lower than companies that have not implemented these practices. Specifically, a sufficient budget can save an average of $2.8 million, employment of certified/expert security personnel can save $2.1 million and the appointment of a high-level security leader can reduce costs by $2 million.”