03:10 PM
Connect Directly

Cost Of A Data Breach Jumps By 23%

Cleanup and resolution after a breach take an average of one month to complete, a new Ponemon Institute report finds.

Paging the incident response team: It now takes a large organization an average of 31 days at a cost of $20,000 per day to clean up and remediate after a cyberattack, with the total price tag for a data breach now at nearly $640,000.

That's an increase of 23% over last year, says Larry Ponemon, chairman and founder of the Ponemon Institute, whose 2014 Global Report on the Cost of Cyber Crime, an annual look at what organizations end up paying after a breach, will be published tomorrow.

"The most surprising finding from this study was that it takes an average of 31 days to resolve a cyberattack, costing an average of $20,000 per day," says Ponemon, whose study was commissioned by HP. "It is alarming to know that an unwanted adversary could invade your system, causing costly and reputation-destroying damages without you even knowing it. The ability to remain under the radar enables the adversary to invade your system even further -- making it more difficult to eliminate the attack completely, and increasing overall costs."

Ponemon, which surveyed 257 large companies in seven countries, measured the costs of more than 1,700 attacks suffered by the firms. The average cost of an attack is $639,462, according to the report.

Sean Mason, global incident response leader at CSC, says it can cost up to $400 per hour for an IR for-hire team that's not on retainer, "especially if you're behind the eight ball and under the gun." IR firms already have fairly full caseloads, so it will cost you to "move up to the top of the queue."

Companies that have an IR firm on retainer will pay much less, Mason says.

The new Ponemon data underscores the importance of early detection and better preparation for breaches. IR experts have been preaching solid IR plans and fire drills as a way to ease the ultimate damage and cost of a breach. Marshall Heilman, a consultant with FireEye's Mandiant who investigates breaches for its clients, says ideally, the mean time to remediate from a breach should be less than one week. "How can you tell if your IR plan is working? If most organizations can get to under one week [to remediate], they're doing pretty well," he said at the MIRcon conference last week in Washington, DC.

By contrast, some large defense contractors can do so in 8-12 hours, he said. "That's awesome."

[Incident response pros share tips on how to have all your ducks in a row before the inevitable breach. Read How To Be A 'Compromise-Ready' Organization.]

The average cost of cybercrime per company in the US was $12.7 million this year, according to the Ponemon report, and US companies on average are hit with 122 successful attacks per year.

Globally, the mean annualized cost for the surveyed organizations was $7.6 million per year, ranging from $0.5 million to $61 million per company. Interestingly, small organizations have a higher per-capita cost than large ones ($1,601 versus $437), the report found.

Some industries incur higher costs in a breach than others, too. Energy and utility organizations incur the priciest attacks ($13.18 million), followed closely by financial services ($12.97 million). Healthcare incurs the fewest expenses ($1.38 million), the report says.

Malicious insider attacks cost the most for an organization ($213,542) and are the rarest form of attacks. DDoS attacks are a close second in cost ($166,545), according to the report. "The most expensive attacks are malicious insiders, denial of service, web-based attacks and malicious code. Malware attacks are most frequently encountered and, hence, represent a relatively low unit cost."

Mason says malicious insider attacks are likely more expensive because, unlike with most attacks, there's "a name and a face" associated with them. "Malicious insiders either took something or did something, and you put the weight of the company behind it, so it's going to incur a lot of costs."

Business disruption is the highest external cost, followed by information loss. Internally, detection is the priciest, the report says.

"Attackers only need one shot to gain access to an organization's data, which could result in a huge financial impact for the organization as well as reputational damage," Ponemon says. "It is critical for organizations to take preventative measures and invest in the security of their organization, as that investment could significantly decrease any financial losses that could occur from a public security breach."

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
10/15/2014 | 10:31:02 AM
Pressure points for change
Good article.  It is helpful to see generalized quantification of the costs related to IR and breach remediation.

But I have found that compliance pressure still has an upper hand on changing security programs within organizations.  If an organization cannot resolve audit findings, there is more and more pressure from the regulatory side of the house when they threaten to cut funding or accesses necessary for business to continue.  It seems that organization managers feel more immediate pressure from these forms of punishment.  It is a known known as opposed to an known unknown.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/15/2014 | 9:54:23 AM
Re: Cost of a breach
"I guess you are only fined when you fail an audit, but not when you are breached."

Great point, @jsturonas600 Says a lot about regulatory effectiveness (or lack thereof)
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
10/14/2014 | 10:09:47 PM
The real cost of security
The better it's understood what these attacks really cost, the better financed the security team is likely to be. In the end, secure cloud operations, if such a thing doesn't become an oxymoron, will be a powerful argument to do enterprise computing there. It's easier to impose security on a more uniform environment than on a complex, heterogeneous enterprise environment.  
User Rank: Apprentice
10/14/2014 | 10:07:00 PM
Re: Cost of a breach
In many states, public companies that are breached have to pay for public notification of the event, then pay for every affected consumer to get credit services. Couldn't those charges be considered "de facto fines"?
User Rank: Apprentice
10/14/2014 | 9:29:04 PM
Cost of a breach
it is interesting that while we hear about the importance of compliance for regulations around protecting sensitive information, the cost of a breach does not seem to include any fines from the industry that are regulating the sensitive information. Maybe there are fines, but they pale in comparison to the other losses, but I am not aware of any fines being issued for any of the most recent breaches. I guess you are only fined when you fail an audit, but not when you are breached. 
User Rank: Moderator
10/14/2014 | 4:00:54 PM
Those malicious insiders...
 "The most expensive attacks are malicious insiders, denial of service, web-based attacks and malicious code. Malware attacks are most frequently encountered and, hence, represent a relatively low unit cost."

Malicious insiders still a key threat.  This definitely ties into the need for more practive controls including employee training, but also ensuring the right data policies are in place to make sure users only have access to what they should have access to based on role.  Additionally, ensuring that the right policies are in place to deal with removing users from access, and managing the right controls for third parties and contractors.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/14/2014 | 3:55:09 PM
Re: Cost +
Those would definitely be interesting elements in the fallout analysis, @IMjustinkern. As we've seen, stock prices tend to rebound fairly well in some of the big retail companies. =)
User Rank: Strategist
10/14/2014 | 3:52:41 PM
Cost +
Ponemon always does a solid job with these surveys. Sobering but important to put financial figures behind this. I wonder if there's a way for future surveys to summarize "secondary" sources of fiscal damage? I'm thinking drops in stock value? Or something noting how many people were canned or resigned from a huge breach? I don't think these figures would be out of line in the "cost" side of a breach and would certainly catapult the impact.
<<   <   Page 2 / 2
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.