12:24 PM

Cybercrime Attacks, Costs Escalating

Successful attacks against U.S. businesses have increased by 42% since last year, with individual businesses being hit with an average of two attacks per week, says study from Ponemon Institute and HP.

The frequency of online attacks against U.S. businesses continues to increase, along with the cost of defending against those attacks and mitigating any resulting data breaches. Cybercrime now costs a U.S. business $8.9 million per year, an increase of 6% from 2011 and 38% from 2010.

Those findings come from the "2012 Cost of Cyber Crime Study," which was sponsored by security intelligence tool vendor HP and released Monday by the Ponemon Institute. The 56 businesses profiled in the study also reported that on average, they're collectively seeing 102 successful attacks per week, up from 72 attacks per week in 2011 and 50 attacks per week in 2010. Individual businesses, meanwhile, see on average 1.8 successful attacks against them per week.

Are the increased cybercrime costs a direct result of businesses being hit by a greater quantity of attacks? "This is a little bit of conjecture on my part, but I think we've found evidence--and pretty strong evidence in some cases--that it's not just about the frequency of attacks, but also the sophistication," said Larry Ponemon, chairman and founder of the Ponemon Institute, speaking by phone. "Some attacks are pretty surgical and stealthy; they're very hard to detect, and even when detected, they're hard to contain."

[ Cybercriminals don't target only big companies with lots of financial transactions. Read How Cybercriminals Choose Their Targets. ]

Likewise, Michael Callahan, VP of product and solution marketing for enterprise security at HP, said via phone that the increased frequency of successful attacks stems from attackers' skill and impetus. "It's not that the technology to do the attacks has changed, it's more the motivation. You've seen this broad move from attacks being about fame, to fortune," he said. In addition, he noted that formerly independent groups of attackers now often appear to band together for individual attack campaigns, which makes them harder to stop.

Another cost factor is that it's taking businesses longer to respond to security breaches. On average, it now takes a business 24 days to spot and resolve an attack, although some cleanup operations extended to 40 days. On average, each cleanup cost $592,000, a 42% increase from the average reported 2011 cleanup costs of $416,000.

Accordingly, said HP's Callahan, it's essential to stop attacks as early in the "kill chain" as possible, by which he's referring to the stages of an attack: reconnaissance, weaponization, delivery, exploitation, command and control, and exfiltration. "The earlier you stop it, the less it's going to cost you as an organization to remediate," he said. "Once you move through that kill chain, it becomes harder and harder to stop." Furthermore, if an attack isn't discovered until attackers are already exfiltrating data, then attackers may have already succeeded.

In terms of how cybercrime costs break down, businesses told Ponemon that their biggest hits in 2012 have come from lost information (comprising 44% of total cybercrime costs) and business disruption (30%)--both of those figures are virtually unchanged from 2011--as well as lost revenue (19%) and equipment damages (5%).

The study also looked at regional cybercrime cost differences. Businesses in the United States spend the most on cybercrime (on average, $8.9 million annually per business), followed by Germany ($6.0 million). But cybercrime costs were much lower in Australia ($3.4 million) and the United Kingdom ($3.3 million). According to Ponemon, attacks in the latter two countries appear to be primarily aimed at disrupting businesses--for example, by knocking their websites offline. But in the United States and Germany, intellectual property attacks are much more common, and economically also more damaging.

Given the study's findings, what can businesses do to lower their cybercrime-related costs? In the United States, businesses with the lowest relative cybercrime costs tend to have a good information security governance program and to use some type of security intelligence or security intelligence and event management tool, according to Ponemon. In particular, he said that businesses that employed security intelligence tools lowered their cybercrime costs by an average of $1.6 million per year, in part by being able to spot and respond to breaches more quickly.

"It's not that the costs go to zero [by putting those two approaches in place], but it does have a positive effect on the organization when it comes to cybercrime," Ponemon said. "You can become less of a victim."

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.