02:15 PM

Cybercrime Cleanup Costs Spike

Ponemon study finds median cost of responding to successful security breaches increased by 56% over the past year, thanks to more persistent and sophisticated attackers.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Over the past year, the median cost of cybercrime increased by 56%, and now costs companies an average of $6 million per year.

That finding comes from Ponemon Institute, which on Tuesday released its Second Annual Cost of Cyber Crime Study, sponsored by HP ArcSight. For the study, Ponemon questioned 50 U.S.-based businesses, ranging in size from 700 to 139,000 employees, about "the direct, indirect, and opportunity costs that resulted from the loss or theft of information, disruption to business operations, revenue loss, and destruction of property, plant, and equipment."

Ponemon found that from 2010 to 2011, the time and cost required to respond to security breaches has been increasing. Notably, the time organizations required to respond to a successful attack increased from 14 days last year to 18 days this year. Over the same period, the average daily cost of attacks increased from $17,600 to nearly $23,000.

In addition, the study found that organizations experienced an average of "72 discernible and successful cyber attacks per week," which is an increase of 44% from the previous year. Of the resulting costs incurred by organizations, the largest was information loss (accounting for 40% of the total cost), followed by business disruption (28%), revenue loss (18%), and equipment damage (9%).

The increase in attack frequency--as well as companies seeing more sophisticated attacks--has led to related increases in cleanup costs and duration. "Really determined attackers often establish multiple beachheads within an organization, so cleaning up an attack is not just about quarantining one device," said Ryan Kalember, director of product marketing at HP ArcSight, in an interview. In other words, once attackers break in, identifying the potentially breached information, as well as all systems that may have been infected with rootkits, backdoors, or other malware, becomes more difficult.

In terms of attack type, 100% of organizations reported experiencing viruses, worms, or Trojans, followed by malware (96%), botnets (82%), Web-based attacks (64%), stolen devices (44%), malicious code (42%), malicious insiders (30%), and phishing and social engineering (30%).

Some types of attacks cost more and take more time to fix. Overall, the costliest attacks involved denial of service, and cost companies in total about $188,000 per year, weighted by frequency of attacks. That was followed by Web-based attacks ($142,000), malicious code ($127,000), and malicious insiders ($105,000).

Once an organization suffered a breach, on an annualized basis, proportionally speaking, its cleanup spending went to recovery (24%), followed by detection (21%), containment (16%), investigation (16%), and ex-post response, including remediation (15%). In terms of industries, the defense sector spent the most money responding and mitigating attacks, followed by utilities and energy companies, and financial services firms.

This Ponemon study's results differ notably from other data breach cost studies, such as Symantec's annual study on the cost of data breaches (also conducted by Ponemon), or the 2011 Data Breach Investigations Report from Verizon. Notably, this new study found that the defense sector, as well as utilities and energy companies, faced the most breaches per year--whereas the Verizon study said that the hospitality and retail sectors were hardest hit.

Kalember at HP ArcSight said many of the differences can be explained by this study focusing on overall cyber crime, rather than individual breaches. In addition, the data set used by Verizon draws from Secret Service and Dutch High Tech Crime Unit investigations, meaning it's based on incidents that companies report to authorities. "But I'm guessing that most cyber crime that happens in these organizations doesn't get reported to police," said Kalember. In addition, while this Ponemon report focused on cyber crime, the Verizon study took a broader approach, for example including card-skimming attacks that harvest debit and credit card data.

Regardless of the data set, numerous studies, including this one, suggest that online attacks are growing more sophisticated, and thus dangerous. "The fact that discernible attacks in this year's study have increased--coupled with the fact that the time to resolve attacks has also increased--suggests the cyber crime landscape continues to evolve in terms of attack severity and frequency," according to the study. "In other words, results of the present study suggest things might be getting worse."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.