The results of HP/Ponemon’s latest annual report on cybercrime’s true costs found that in the U.S., real cash outlays and intangible costs are on the rise. Here’s how much time and money firms have been spending to wage the ongoing battle against hackers.
The media is awash with headlines on cyberattacks, with millions of records compromised at one firm after another, from retail big box players to government agencies. But what does it all mean in terms of dollars?
In the latest report on the true costs of cybercrime, Hewlett-Packard issued a report in tandem with Ponemon via the latter’s Institute on Cyber Crime earlier this month. The report states that the United States is especially hard hit by hacking, as cyberattacks cost U.S. firms, on average, $15.4 million annually, which is double the $7.7 million global average (which is a bump of 1.9 percent over last year, after adjusting for currency changes). For the U.S., the latest average costs represent a significant jump from the $12.7 million seen in 2014.
The survey itself found no discrimination in terms of business size or industry niche, according to the 2,000 executives queried across 250 companies in this latest survey. Perhaps not surprisingly, the financial services and energy industries, huge targets in their own rights due to their sheer sizes, saw the highest impact from hacking, with respective average annual cost tallies of $13.5 million and $12.8 million, respectively.
And even as the costs rise for businesses, the costs are negligible for the hackers themselves, which, of course, sets the stage for continued nefarious activity. You might call it a warped version of supply and demand: lots of opportunity for cyberthieves to make a buck (or a few million of them), which would be the supply, leading to a boost in criminal activity (or the demands they make as they try to drain cash and/or sensitive data from firms).
Among the most expensive types of attacks, according to the joint report, were the ones instigated by malicious insiders, denial-of-service attempts and attacks conducted across the Internet.
As for the costs for the hackers themselves, the report showed that, as estimated by Incapsula, a cybersecurity firm, the average cost of staging a denial-of-service attack stood at $38 an hour, in part because the technology employed — through sharing between hackers and “dark forums,” in addition to other subterranean marketplaces — is rather inexpensive. That $38 an hour for the bad guys stands in stark contrast to their victims, where the study found that “the real world cost of an unmitigated attack” is as much as $40,000 per hour for enterprises.
The real cost lies with smaller businesses, the study found, with a significantly higher per capital cost than larger companies, at $1,388 versus $431.
Once those costs are incurred, how are they allocated? Business disruption marks the highest cost, accounting for as much as 39 percent of all external costs, and internally speaking, the greatest costs within an organization lie with loss of productivity and allocation of labor towards fighting or repairing hacker damage.
The mean total number of days to resolve actual attacks came in at 46 days, with an average cost of more than $21,100 per day. But drilling down a bit, some types of attacks, such as those from malicious insiders, took longer to resolve, at more than 54 days. Ponemon and HP reported that 252 companies saw more than 1,900 cyberattacks through the past year, with 1.9 successful cyberattacks per week, up from 1.7 per week last year.
So, what is the solution? For a range of technologies taken to resolve cyberattacks, from detection to recovery to incidence management, the report found that companies that deploy security intelligence technologies, such as encryption and automated security policy systems, demonstrate costs savings in the battle against cybercrime. The return on investment for those companies comes in at 23 percent.
But even greater savings come as dedicated personnel work within an organization to address cybersecurity concerns. Those firms that deploy certified and expert data security workers see an average cost savings of about $1.4 million. The bottom line may be this: Technology is indispensable in the ongoing and daily war against cybercrime, but the humans behind that technology may be among the best lines of defense.