The cost of cyberattacks continues to ratchet up in the U.S., with a ski slope of increases of about 20 percent year-over-year for the last six years, according to a new study out by Ponemon Institute. Sponsored by HP Enterprise Security, the 2015 Cost of Cyber Crime Study found that a benchmark sample of U.S. organizations experienced an average cost of cybercrime of $15 million.
“With cyberattacks growing in both frequency and severity, understanding of the financial impact can help organizations determine the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack,” says Dr. Larry Ponemon, chairman and founder of Ponemon Institute.
The study shows that since 2009, the average cost of cybercrime per organization per year increased by 82 percent. This year the range was anywhere between $1.9 million and $65 million each year per company. While annualized cost increases as organizational size increases, small organizations incur more than double the per-capita cost than large organization, experiencing $1,571 in costs per seat compared to a larger organization's $667 per seat.
The study found that the longer an attack remains unresolved, the more expensive it is to an organization. Currently the average attack remains uncontained for 46 days at a cost of $1.9 million for this typical attack.
Internally, the highest costs to an organization are for detection and recovery, accounting for 55 percent of internal activity costs incurred in both cash and labor. Meanwhile, information theft makes up 42 percent of external costs, followed by disruption to business, which makes up 36 percent.
Overall, the most expensive cybercrimes are the ones caused by denial-of-service attacks, malicious insiders and malicious code, which together make up 50 percent of all cybercrime costs.
"Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions," Ponemon wrote in the report. For example, companies that used SIEM technology saved approximately $3.7 million compared to those that didn't.
Similarly, Ponemon reports that enterprise security governance practices will moderate the cost of cybercrime.
"Findings show companies that invest in adequate resources, employ certified or expert staff and appoint a high-level security leader have cyber crime costs that are lower than companies that have not implemented these practices," Ponemon said. "Specifically, a sufficient budget can save an average of $2.8 million, employment of certified/expert security personnel can save $2.1 million and the appointment of a high-level security leader can reduce costs by $2 million."