Cyberattacks on organizations have more than doubled over a three-year period, driving up the costs associated with fallout from the attacks, according to a new study conducted by the Ponemon Institute.
The 2012 Cost of Cyber Crime Study found the cost of cyberattacks increased by 6% from an average cost of $8.4 million a year per company in 2011, to $8.9 million.
The study, commissioned by Hewlett Packard Co., analyzed information from 56 organizations in various industry sectors. All 56 companies had been successfully attacked and had their networks infiltrated by cybercriminals. Data was gathered using activity-based costing, a method of research that Ponemon uses to analyze company behavior instead of using a survey of questions. The latest study is the third annual report of its kind by researchers at Traverse City, Mich.-based Ponemon Institute.
"Based on these findings, organizations need to be more vigilant in protecting their most sensitive and confidential information," the study read.
Security researchers have long noted the underground business of cybercrime, fueled by cybercriminals toting automated toolkits and botmasters who rent out their malicious servers to enable almost anyone to conduct wide-scale cyberattacks. The 2011 Cost of Cybercrime Study also noted the increasing frequency of attacks putting pressure on IT security teams and rising costs associated with security defenses and incident response activities.
Internal and external costs
The Ponemon study found information theft and business disruption continue to make up the highest external costs, making up 44% of total external costs, rising 4% from 2011. Disruption to business and lost productivity accounted for 30% of external costs, rising 1% from 2011.
Internal activities also drove up the costs of containing and cleaning up after successful attacks. Recovery and detection represent the most costly activities associated with cybercrime. The Ponemon report noted that operating expenses and labor represent the majority of the costs associated with the activities.
Larry Ponemon, chairman and founder of the Ponemon Institute, said the increase in attacks, which jumped from 50 attacks on average per week in 2010, to 102 successful attacks on average per week, stood out the most to him.
"People aren't getting tired of attacking [companies]," he said, adding that as long as there is still a financial incentive for cybercriminals, they will continue to attack.
The study also illuminated which types of attacks companies are faced with. All of the companies studied experienced viruses, worms and Trojans, while 95% faced malware, and 71% were attacked by botnets. The most costly attacks were perpetrated through malicious code and denial-of-service attacks.
Industries incurring the highest average annualized cost were defense, utilities and energy, and financial services.
In addition to the United States data, the Ponemon Institute also analyzed the behavior of companies in the U.K., Germany, Australia and Japan. Ponemon found that recovery and detection were the two most expensive internal costs of cybercrime in each country.
One key difference Ponemon pointed out was the external costs of cybercrime by country. The main cost for the U.K. and Australia was business disruption, while Germany and the U.S. were hit the hardest by information loss. Japan experienced an equal percentage of loss through business disruption and information loss.
"Organizations in the U.S. [and Germany] are fighting a different battle than in the U.K. or Australia," Ponemon said.
Ponemon said organizations should be using security tools to mitigate attacks. Deploying security network technologies "makes a difference and reduces the overall cost," he said. In addition to tools, Ponemon said companies need to have good governance practices.
"Organizations have to deal with a very expensive proposition. It's here to stay," Ponemon said.