Cybercrime is costing businesses, on average, $11.7 million a year, a 23 percent increase from $9.5 million in cybercrime-related spending last year. The accelerating cost of cybercrime over the past five years also means that the cost of cybercrime has increased 62 percent since 2013, according to the Ponemon Institute’s Cost of Cybercrime Study.
For the report, Ponemon Institute surveyed 2,182 security and IT professionals from 254 organizations about cybercrime spending, including costs associated with IT infrastructure, economic espionage, business disruption, ex-filtration of intellectual property and revenue losses. The Ponemon Institute developed the report with Accenture, and the report aims to quantify the economic impact of cyber attacks and observe cost trends over time.
“Whether managing incidents themselves or spending to recover from the disruption to the business and customers, organizations are investing on an unprecedented scale—but current spending priorities show that much of this is misdirected toward security capabilities that fail to deliver the greatest efficiency and effectiveness,” the report authors wrote.
Looking at 15 different industry sectors, the study found that financial services has the highest cost of cybercrime, at $18.3 million, on average, a year, followed by utilities and energy, costing $17.2 million a year. For organizations in the healthcare sector, the average annualized cost of cybercrime is $12.5 million a year, making healthcare the fifth most costly industry.
With cyber attacks on the rise, successful breaches per company each year has risen more than 27 percent, from an average of 102 to 130. Ransomware attacks alone have doubled in frequency, from 13 percent to 27 percent, with incidents like WannaCry and Petya affecting thousands of targets and disrupting public services and large corporations across the world, the study authors wrote.
For the report, researchers estimated average cost of cybercrime for seven countries, involving 254 separate companies, for the past three years. Companies in the United States report the highest total average cost at $21 million and Australia reports the lowest total average cost at $5.41 million.
Among the organizations the Ponemon Institute studied, information loss represents the largest cost component with a rise from 35 percent in 2015 to 43 percent in 2017.
To better understand the effectiveness of investment decisions, the study analyzed nine security technologies across two dimensions: the percentage spending level between them and their value in terms of cost-savings to the business. The findings illustrate that many organizations may be spending too much on the wrong technologies.
The report found that security intelligence systems (67 percent) and advanced identity and access governance (63 percent) are the top two most widely deployed enabling security technologies across the enterprise. These technologies also deliver the highest positive value gap with organizational cost savings of $2.8 million and $2.4 million respectively.
“As the threat landscape constantly evolves, these investments should be monitored closely so that spend is at an appropriate level and maintains effective outcomes,” the report authors wrote.
Aside from systems and governance, the report found that other investments show a lack of balance. Of the nine security technologies evaluated, the highest percentage spend was on advanced perimeter controls. Yet, the cost savings associated with technologies in this area were only fifth in the overall ranking with a negative value gap of minus 4. “Clearly, an opportunity exists here to assess spending levels and potentially reallocate investments to higher-value security technologies,” the report authors wrote.
The report authors also contend that the foundation of a strong and effective security program is to identify and “harden” the higher-value assets. “These are the “crown jewels” of a business—the assets most critical to operations, subject to the most stringent regulatory penalties, and the source of important trade secrets and market differentiation. Hardening these assets makes it as difficult and costly as possible for adversaries to achieve their goals, and limits the damage they can cause if they do obtain access,” the report authors wrote.
The report also recommends that organizations build cybersecurity on a strong foundation of the “brilliant basics,” such as security intelligence and advanced access management; undertake extreme pressure testing to identify vulnerabilities more rigorously; and invest in breakthrough technologies.
