Attacks/Breaches
8/2/2011
02:15 PM
Connect Directly
RSS
E-Mail
50%
50%

Cybercrime Cleanup Costs Spike

Ponemon study finds median cost of responding to successful security breaches increased by 56% over the past year, thanks to more persistent and sophisticated attackers.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Over the past year, the median cost of cybercrime increased by 56%, and now costs companies an average of $6 million per year.

That finding comes from Ponemon Institute, which on Tuesday released its Second Annual Cost of Cyber Crime Study, sponsored by HP ArcSight. For the study, Ponemon questioned 50 U.S.-based businesses, ranging in size from 700 to 139,000 employees, about "the direct, indirect, and opportunity costs that resulted from the loss or theft of information, disruption to business operations, revenue loss, and destruction of property, plant, and equipment."

Ponemon found that from 2010 to 2011, the time and cost required to respond to security breaches has been increasing. Notably, the time organizations required to respond to a successful attack increased from 14 days last year to 18 days this year. Over the same period, the average daily cost of attacks increased from $17,600 to nearly $23,000.

In addition, the study found that organizations experienced an average of "72 discernible and successful cyber attacks per week," which is an increase of 44% from the previous year. Of the resulting costs incurred by organizations, the largest was information loss (accounting for 40% of the total cost), followed by business disruption (28%), revenue loss (18%), and equipment damage (9%).

The increase in attack frequency--as well as companies seeing more sophisticated attacks--has led to related increases in cleanup costs and duration. "Really determined attackers often establish multiple beachheads within an organization, so cleaning up an attack is not just about quarantining one device," said Ryan Kalember, director of product marketing at HP ArcSight, in an interview. In other words, once attackers break in, identifying the potentially breached information, as well as all systems that may have been infected with rootkits, backdoors, or other malware, becomes more difficult.

In terms of attack type, 100% of organizations reported experiencing viruses, worms, or Trojans, followed by malware (96%), botnets (82%), Web-based attacks (64%), stolen devices (44%), malicious code (42%), malicious insiders (30%), and phishing and social engineering (30%).

Some types of attacks cost more and take more time to fix. Overall, the costliest attacks involved denial of service, and cost companies in total about $188,000 per year, weighted by frequency of attacks. That was followed by Web-based attacks ($142,000), malicious code ($127,000), and malicious insiders ($105,000).

Once an organization suffered a breach, on an annualized basis, proportionally speaking, its cleanup spending went to recovery (24%), followed by detection (21%), containment (16%), investigation (16%), and ex-post response, including remediation (15%). In terms of industries, the defense sector spent the most money responding and mitigating attacks, followed by utilities and energy companies, and financial services firms.

This Ponemon study's results differ notably from other data breach cost studies, such as Symantec's annual study on the cost of data breaches (also conducted by Ponemon), or the 2011 Data Breach Investigations Report from Verizon. Notably, this new study found that the defense sector, as well as utilities and energy companies, faced the most breaches per year--whereas the Verizon study said that the hospitality and retail sectors were hardest hit.

Kalember at HP ArcSight said many of the differences can be explained by this study focusing on overall cyber crime, rather than individual breaches. In addition, the data set used by Verizon draws from Secret Service and Dutch High Tech Crime Unit investigations, meaning it's based on incidents that companies report to authorities. "But I'm guessing that most cyber crime that happens in these organizations doesn't get reported to police," said Kalember. In addition, while this Ponemon report focused on cyber crime, the Verizon study took a broader approach, for example including card-skimming attacks that harvest debit and credit card data.

Regardless of the data set, numerous studies, including this one, suggest that online attacks are growing more sophisticated, and thus dangerous. "The fact that discernible attacks in this year's study have increased--coupled with the fact that the time to resolve attacks has also increased--suggests the cyber crime landscape continues to evolve in terms of attack severity and frequency," according to the study. "In other words, results of the present study suggest things might be getting worse."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.