Defending Against Cybercrime Just Got A Lot More Expensive


Denial-of-service attacks, malicious insiders and Web-based attacks have contributed to a sharp rise in the annualized cost of cybercrime to companies, according to a study conducted by the Ponemon Institute.

The Ponemon study, based on interviews with more than 1,000 security professionals, found the annualized cost of cybercrime to companies was $11.56 million per organization with a range of $1.3 million to $58 million, an increase of 26 percent over the average cost in 2012. The study, commissioned by Hewlett-Packard, also found that the average time to resolve a security incident increased from 24 days in 2012 to 32 days, a 33 percent rise.

Ponemon used a benchmark sample of 60 U.S. organizations to arrive at the figures in the report, "2013 Cost of Cyber Crime Study: United States." A Ponemon study in June analyzing data breach costs found security incident expenses highest in the U.S. and Germany.

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches]

Data theft poses the highest external costs to organizations, followed by business disruption, according to the study. The losses prompted by disrupted business operations are adding up, the study found, increasing 18 percent from 2012. Meanwhile, data theft costs declined 2 percent.

Threat detection, disaster recovery and incident response activities posed the most costly internal activities. Recovery and detection accounted for nearly half of the total internal activity cost, with labor taking up the majority, according to the study.

Attacks on businesses also are increasing, fueled by hacktivist denial of service attacks intended to disrupt the business, malicious insiders intent on stealing data and financially motivated attacks out for credit card data, personal information and account credentials, according to the report.

"Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions," according to the study. "Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyberattacks."

If deployed and monitored, security information and event management systems could save an organization $4 million when compared with companies not deploying those technologies, Ponemon said. Strong and enforceable security policies, data governance controls and a security-aware culture also rein in costs. Cost savings for companies deploying good security governance practices is estimated at $1.5 million on average, according to the study.

The study found most security spending at the network layer, with the deployment of unified threat management systems, next-generation firewalls, intrusion prevention systems and reputation feeds being key. The adoption of access governance technologies and enterprise deployment of governance, risk and compliance tools also had a significant impact on reining in costs, the study found.

A layered approach to deploying security technologies could help increase cybercriminals' cost to carry out attacks, reducing the risk that a well-protected corporate network will be targeted, say security experts. Law enforcement activity cracking down on cybercriminal gangs has only a short-term impact, said Ziv Mador, director of security research at Trustwave. Defending against attacks is a never-ending battle, Mador said.

"Even if multiple members of an organization get arrested, there is usually someone who can continue on and eventually recover the activity," Mador said. "The important thing for businesses is to develop a comprehensive security policy that would reduce risks to a minimum."

PUBLISHED OCT. 9, 2013