Sophisticated cyberattacks are hitting enterprises more frequently and attackers are staying on networks undetected for longer periods, contributing to an increase in the average cost of cybercrime for the fourth year in a row, according to a new report.
Organizations are doing more to detect and try to understand the root cause of the attack, and I think that is driving the costs because that takes resources.
Larry Ponemon, Ponemon Institute
The fourth-annual Cost of Cybercrime Study, produced by the Ponemon Institute and sponsored by Hewlett-Packard's enterprise security unit, showed the cost enterprises pay to clean up after a cyberattack has increased 26% from 2012, and has gone up a staggering 78% since the first report was released four years ago.
The latest study analyzed information from 60 large U.S.-based organizations (and 234 in total) in various industry sectors, with the average cost per organization totaling approximately $11.56 million a year.
Instead of focusing on the total cost incurred by enterprises, the Ponemon report narrowed its scope to only include what enterprises spent while responding to cybercrime incidents, including detection, investigation, recovery and incident management.
Larry Ponemon, founder and chairman of the Ponemon Institute, noted that the report doesn't take into account, as an example, what costs a company would incur if its "crown jewel" of data was stolen -- either because a dollar value would be impossible to calculate, or because an organization typically overestimates the value of its own data. Even without these costs included, the report showed the cost range spanning all the way from the low of $1.3 million to the high of $58 million, a number Ponemon said even the largest organizations would notice.
The cost of cybercrime increased, in part, because the number of successful attacks on enterprises increased by 18%, up from approximately 1.8 attacks per week last year to 2 attacks per week this year. The Ponemon report characterized an attack as successful if it infiltrated an organization's network, systems or both. Though enterprises most frequently experience virus- or malware-based attacks, the most costly attacks were denial-of service, malicious insiders and various Web-based attacks.
Though Ponemon said the report had no way to measure the sophistication of successful attacks, he speculated that the evidence collected suggested attacks are also becoming more stealthy and complex.
"[A successful attack is] less likely to be a simple malware-based attack [and is] much more likely to be an attack that is focused on an objective like the exfiltration of sensitive or confidential information," he said.
The increasing level of sophistication involved in successful attacks played a part in bumping up the mean time needed to resolve an attack -- up from 24 days in 2012 to a 32-day period this year. The average cost associated with resolving security incidents also rose by a dramatic 55%, from $591,780 to $1,035,769. Even accounting for the extra eight days on average, organizations are spending much more per day to resolve security incidents than they were just a year ago.
Though the data suggested enterprises are facing greater difficulty in responding to attacks, Ponemon, in this instance, took a more positive stance on the increased spending.
"One of the reasons there seems to be a cost increase is because companies are exercising better procedures on discovery, detection, and all the forensics and investigative work that needs to be done. I think more and more companies are spending time and resources on that," Ponemon said. "I don't want to say this is true in every case, and these are averages, but we basically find more organizations are doing more to detect and try to understand the root cause of the attack, and I think that is driving the costs because that takes resources."
How to lower cybercrime costs
Though Ponemon conceded there is no way for an organization to ward off all attacks, he noted a couple of ways the average enterprise can reduce their cost of cybercrime, based on findings in the report. The first element is the technologies organizations have in place.
The report indicated that enterprises continue to spend significantly on network security appliances, for example, when more costly attacks often take advantage of weak application security. Remarking that most organizations rarely reassess categories of security spending on a yearly basis, Ponemon said enterprise security spending should be aligned with the costliest threats. In contrast to traditional antimalware products that are increasingly irrelevant, he said security intelligence systems, including security information and event management products and big data analytics, produced a 21% return on investment for organizations.
Perhaps more important than having the right technologies, organizations that consistently experienced lower cybercrime costs did so by implementing the right people and processes. In particular, Ponemon pointed to enterprises that had a chief information security officer (CISO) or other equivalent in place, with the caveat that they were real senior-level executives. Such organizations, he noted, tended to have better security governance, mostly because hiring a CISO signals that the company takes information security seriously and is willing to make an investment in credentialed professionals.
"It's not that that person is the reason for the value that we find," Ponemon said. "But the organizations that have that person with the right role and the right title and authority tend to be smarter around the whole governance of security."