The cost of Cybercrime in US have climbed to a record $12.7 million down from $11.56 million in 2013, according to a report by Ponemon Institute.
The research dubbed “2014 Cost of Cyber Crime Study: United States” was sponsored by US tech giant Hewlett-Packard(HP), involving 2000 participants and 259 companies across seven countries i.e. United States, United Kingdom, Germany, Australia, Japan, France and the Russian Federation, Us recording the highest costs of cybercrime.
“This year’s report shows us once again that not only is the frequency of cybercrime increasing but so is the cost to organizations around the world,” said Tony Caine, vice president and general manager for enterprise security EMEA at report sponsor HP.
“The study serves to raise awareness around the reality of cybercrime, by industry, across the globe,” said Frank Mong, HP vice president and general manager, solutions, Enterprise Security Products, “It is our hope that organizations realize that threats are becoming more frequent and more sophisticated, and gain an understanding from the findings how they should prioritize their security investments.”
The study revealed a 176% increases in number of cyber-attacks, with an average of 138 successful attack every week compared 50 successful attacks in 2010.
Apparently, attacks caused by Distributed denial of Services (DDoS), malicious insiders and malicious codes are the most costly cybercrimes in US, accounting for 55% of all cybercrimes cost in organizations annually. Attacks by malicious insider such as employees and contractors lead the pack while malicious code crime such malware, botnets, Trojans and worms are the least expensive in this category.
Smaller firms experienced higher proportions cost relating to web-based attacks, phishing and social engineering while large firms had a higher proportion of cybercrime cost relating to malicious codes and DDoS. However, firms in Energy, utilities and defense sector incurred the highest cost of cybercrime regardless of size.
The report revealed organizations were taking much longer to respond cyber-attacks. An average firms takes 45 days to resolve a cybercrime at an average cost of $1,593,647. This represent a 33% increase from last year’s cost estimate of $1,035,769. Shockingly, some crimes go undetected for an average of 170 days with the longest taking 259 days.
“It’s concerning to know that an unwanted adversary can be lurking in your system for so long, causing costly and reputation-destroying damages without the organization even noticing,” stated the Ponemon . “This allows the adversary time to invade the system even further and make it more difficult for the organization to eliminate the attack completely.”
Frank Mong partly attributes the huge increase in cybercrime cost, to the failure of organization to admit a security breach has already happened, and respond immediately. “It’s important that organizations recognize and overcome the stigma of admitting they are vulnerable and that they have likely already suffered a security breach,” Mong said. “Once organizations accept this as reality, they then have to understand how to address it. Many focus solely on keeping the adversary out, when it is likely that the adversary is already in. This is a call to action for more focus on detection and containment.”
Interestingly, a good security posture significantly reduces the cost of mitigating cybercrime. Ponemon used Security Effectiveness score (SES) index to rate organizations’ security posture. The higher the rating on SES index the lesser the number of successful attacks. In addition, Good security governance practices saves the organization an average of $1.7millon according to the report.
“Companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices.” Stated the report.
Meanwhile, organization that deploy security intelligence technology recorded a lower annualized cost of cybercrime. Such technologies include security information and event management (SIEM), intrusion prevention systems and applications security testing solutions.
Organizations employing security intelligence technology saved an average of $5.3 million in cybercrime costs compared to companies without intelligence technologies. Security intelligence technologies also have a huge positive return on investment (ROI).
“Specifically, the data tells us that organizations experience the most return when focusing incremental spending on security intelligence systems (including SIEM), extensive deployment of encryption technology and advanced perimeter controls,” Mong said. “The study is clear that these areas deliver significant ROI, and can have a direct impact on minimizing the cost of cybercrime.”
It evidently clear that cybercrime is evolving at an alarming rate. Organization can no ignore the impact of cybercrime given its huge costs implications. It is no longer about whether the organization is vulnerable? , it’s about when the breach will occur. Organizations should devote more energy and resources in fighting cybercrime.
“No amount of investment can completely protect organizations from highly sophisticated cyber-attacks, but improving and prioritizing your organization’s ability to disrupt the adversary with actionable intelligence solutions such as SIEM, can significantly improve attack containment and reduce the overall financial impact,” concludes Art Gilliland, senior vice president and general manager for enterprise security products at HP.