Cybercrime Study Finds Increasing Costs as Well as Changing Targets & Methods

In the Ninth Annual Cost of Cybercrime Study, Accenture and Ponemon Institute say that they are analyzing the latest cost numbers of cybercrime to try and help leaders to better target security investments and resources. They interviewed 2,647 senior leaders from 355 companies and drew on the experience and expertise of the Accenture Security professionals to examine the economic impact of cyber attacks.

Accenture thinks that attacks are evolving from the perspective of what they target and how they impact organizations as well as the changing methods of attack that they employ. Extended supply chain threats are also challenging an organization's business ecosystem. Attackers have slowly shifted their attack patterns to exploit third- and fourth-party supply chain partner environments to gain entry to target systems -- even those industries that have mature cybersecurity standards, frameworks and regulations. Supply chain attacks are a way around all that preparation.

The report finds information theft is the most expensive and fastest rising consequence of cybercrime. This kind of theft is expected and the predominate mental threat model the security team uses, without doubt.

But data is not the only target. Core systems, such as industrial controls or other operational technology, are being attacked in a "dangerous trend to disrupt and destroy." Attacking an enterprise's data integrity or preventing data toxicity may be the next frontier in security.

One thing seems to be clear: Humans are increasingly targeted as the weakest link in cyber defenses.

The report found that the expanding threat landscape lead to an increase in cyber attacks. The average number of security breaches in an enterprise during the last year grew by 11% from 130 to 145.

While Internet dependency and the digital economy are flourishing, 68% of business leaders said their cybersecurity risks are also increasing. Almost 80% of organizations say that they are introducing digitally fueled innovation faster than their ability to secure it against cyber attackers.

Along with increased attack incidence came increased spending on remediation. The report found the average cost of cybercrime for an organization increased US$1.4 million to US$13.0 million.

Accenture also found that the banking and utilities sectors continued to have the highest cost of cybercrime across their sample with an increase of 11% and 16% respectively. The energy sector remained fairly flat over the year with a small increase of 4%, but the health industry experienced a slight drop in cybercrime costs of 8%.

There are location based differences shown as well. the United States continued to top the danger list with the average annual cost of cybercrime increasing by 29% in 2018 to reach US$27.4 million. However, the highest increase (31%) was experienced by organizations in the United Kingdom which grew to US$11.5 million, closely followed by Japan which increased by 30% in 2018 to reach US$13.6 million on average for each organization.

Expenditures for investigating a breach have decreased in three of the four years of analysis. Accenture says that the decreases in spend are due to improvements in forensic analysis capabilities and threat hunting tools. Another factor they cite influencing the reduction in spend is the expanded use of cloud services, which make the investigation of cyber threats more efficient.

The report shows that while the specifics of an attack will change over time, there are trends exhibited by those changes that can be of use.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.