Paging the incident response team: It now takes a large organization an average of 31 days at a cost of $20,000 per day to clean up and remediate after a cyberattack, with the total price tag for a data breach now at nearly $640,000.
That's an increase of 23% over last year, says Larry Ponemon, chairman and founder of the Ponemon Institute, whose 2014 Global Report on the Cost of Cyber Crime, an annual look at what organizations end up paying after a breach, will be published tomorrow.
"The most surprising finding from this study was that it takes an average of 31 days to resolve a cyberattack, costing an average of $20,000 per day," says Ponemon, whose study was commissioned by HP. "It is alarming to know that an unwanted adversary could invade your system, causing costly and reputation-destroying damages without you even knowing it. The ability to remain under the radar enables the adversary to invade your system even further -- making it more difficult to eliminate the attack completely, and increasing overall costs."
Ponemon, which surveyed 257 large companies in seven countries, measured the costs of more than 1,700 attacks suffered by the firms. The average cost of an attack is $639,462, according to the report.
Sean Mason, global incident response leader at CSC, says it can cost up to $400 per hour for an IR for-hire team that's not on retainer, "especially if you're behind the eight ball and under the gun." IR firms already have fairly full caseloads, so it will cost you to "move up to the top of the queue."
Companies that have an IR firm on retainer will pay much less, Mason says.
The new Ponemon data underscores the importance of early detection and better preparation for breaches. IR experts have been preaching solid IR plans and fire drills as a way to ease the ultimate damage and cost of a breach. Marshall Heilman, a consultant with FireEye's Mandiant who investigates breaches for its clients, says ideally, the mean time to remediate from a breach should be less than one week. "How can you tell if your IR plan is working? If most organizations can get to under one week [to remediate], they're doing pretty well," he said at the MIRcon conference last week in Washington, DC.
By contrast, some large defense contractors can do so in 8-12 hours, he said. "That's awesome."
[Incident response pros share tips on how to have all your ducks in a row before the inevitable breach. Read How To Be A 'Compromise-Ready' Organization.]
The average cost of cybercrime per company in the US was $12.7 million this year, according to the Ponemon report, and US companies on average are hit with 122 successful attacks per year.
Globally, the mean annualized cost for the surveyed organizations was $7.6 million per year, ranging from $0.5 million to $61 million per company. Interestingly, small organizations have a higher per-capita cost than large ones ($1,601 versus $437), the report found.
Some industries incur higher costs in a breach than others, too. Energy and utility organizations incur the priciest attacks ($13.18 million), followed closely by financial services ($12.97 million). Healthcare incurs the fewest expenses ($1.38 million), the report says.
Malicious insider attacks cost the most for an organization ($213,542) and are the rarest form of attacks. DDoS attacks are a close second in cost ($166,545), according to the report. "The most expensive attacks are malicious insiders, denial of service, web-based attacks and malicious code. Malware attacks are most frequently encountered and, hence, represent a relatively low unit cost."
Mason says malicious insider attacks are likely more expensive because, unlike with most attacks, there's "a name and a face" associated with them. "Malicious insiders either took something or did something, and you put the weight of the company behind it, so it's going to incur a lot of costs."
Business disruption is the highest external cost, followed by information loss. Internally, detection is the priciest, the report says.
"Attackers only need one shot to gain access to an organization's data, which could result in a huge financial impact for the organization as well as reputational damage," Ponemon says. "It is critical for organizations to take preventative measures and invest in the security of their organization, as that investment could significantly decrease any financial losses that could occur from a public security breach."