02:15 PM

Cybercrime Cleanup Costs Spike

Ponemon study finds median cost of responding to successful security breaches increased by 56% over the past year, thanks to more persistent and sophisticated attackers.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Over the past year, the median cost of cybercrime increased by 56%, and now costs companies an average of $6 million per year.

That finding comes from Ponemon Institute, which on Tuesday released its Second Annual Cost of Cyber Crime Study, sponsored by HP ArcSight. For the study, Ponemon questioned 50 U.S.-based businesses, ranging in size from 700 to 139,000 employees, about "the direct, indirect, and opportunity costs that resulted from the loss or theft of information, disruption to business operations, revenue loss, and destruction of property, plant, and equipment."

Ponemon found that from 2010 to 2011, the time and cost required to respond to security breaches has been increasing. Notably, the time organizations required to respond to a successful attack increased from 14 days last year to 18 days this year. Over the same period, the average daily cost of attacks increased from $17,600 to nearly $23,000.

In addition, the study found that organizations experienced an average of "72 discernible and successful cyber attacks per week," which is an increase of 44% from the previous year. Of the resulting costs incurred by organizations, the largest was information loss (accounting for 40% of the total cost), followed by business disruption (28%), revenue loss (18%), and equipment damage (9%).

The increase in attack frequency--as well as companies seeing more sophisticated attacks--has led to related increases in cleanup costs and duration. "Really determined attackers often establish multiple beachheads within an organization, so cleaning up an attack is not just about quarantining one device," said Ryan Kalember, director of product marketing at HP ArcSight, in an interview. In other words, once attackers break in, identifying the potentially breached information, as well as all systems that may have been infected with rootkits, backdoors, or other malware, becomes more difficult.

In terms of attack type, 100% of organizations reported experiencing viruses, worms, or Trojans, followed by malware (96%), botnets (82%), Web-based attacks (64%), stolen devices (44%), malicious code (42%), malicious insiders (30%), and phishing and social engineering (30%).

Some types of attacks cost more and take more time to fix. Overall, the costliest attacks involved denial of service, and cost companies in total about $188,000 per year, weighted by frequency of attacks. That was followed by Web-based attacks ($142,000), malicious code ($127,000), and malicious insiders ($105,000).

Once an organization suffered a breach, on an annualized basis, proportionally speaking, its cleanup spending went to recovery (24%), followed by detection (21%), containment (16%), investigation (16%), and ex-post response, including remediation (15%). In terms of industries, the defense sector spent the most money responding and mitigating attacks, followed by utilities and energy companies, and financial services firms.

This Ponemon study's results differ notably from other data breach cost studies, such as Symantec's annual study on the cost of data breaches (also conducted by Ponemon), or the 2011 Data Breach Investigations Report from Verizon. Notably, this new study found that the defense sector, as well as utilities and energy companies, faced the most breaches per year--whereas the Verizon study said that the hospitality and retail sectors were hardest hit.

Kalember at HP ArcSight said many of the differences can be explained by this study focusing on overall cyber crime, rather than individual breaches. In addition, the data set used by Verizon draws from Secret Service and Dutch High Tech Crime Unit investigations, meaning it's based on incidents that companies report to authorities. "But I'm guessing that most cyber crime that happens in these organizations doesn't get reported to police," said Kalember. In addition, while this Ponemon report focused on cyber crime, the Verizon study took a broader approach, for example including card-skimming attacks that harvest debit and credit card data.

Regardless of the data set, numerous studies, including this one, suggest that online attacks are growing more sophisticated, and thus dangerous. "The fact that discernible attacks in this year's study have increased--coupled with the fact that the time to resolve attacks has also increased--suggests the cyber crime landscape continues to evolve in terms of attack severity and frequency," according to the study. "In other words, results of the present study suggest things might be getting worse."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.