Story image

Cost of cyber attacks up 62% in five years - report

03 Jul 18

Costly cyber attacks are having a significant and growing financial impact on businesses worldwide.

According to new research published by Accenture and the Ponemon Institute, in 2017 the average cost of cyber crime globally climbed to $11.7 million per organisation, a 23% increase from $9.5 million reported in 2016, and represents a staggering 62% increase in the last five years.

In comparison, companies in the United States incurred the highest total average cost at $21.22 million while Germany experienced the most significant increase in total cyber crime costs from $7.84 million to $11.15 million.

This surge follows a recent string of infamous malware attacks including WannaCry and Petya, which cost several global firms hundreds of millions of dollars in lost revenues.

The Cost of Cyber Crime Study surveyed 2,182 security and IT professionals in 254 organisations worldwide and found that the number of cyber attacks has shown no sign of slowing down since the Ponemon Institute began the research in 2009.

Key findings of the study include:

  • On average, a company suffers 130 breaches per year, a 27.4% increase over 2016 and almost double what it was five years ago. Breaches are defined as core network or enterprise system infiltrations.
  • Companies in the financial services and energy sectors are the worst hit, with an average annual cost of $18.28 million and $17.20 million respectively.
  • The time to resolve issues is showing similar increases. Among the most time-consuming incidents are those involving malicious insiders, which take on average 50 days to mitigate while ransomware takes an average of more than 23 days.
  • Malware and Web-based attacks are the two most costly attack types with companies spending an average of $2.4 million and $2 million respectively.

“The costly and devastating consequences businesses are suffering, as a result of cyber crime, highlights the growing importance of strategically planning and closely monitoring security investments,” Accenture Security managing director Kelly Bissell says.

“Keeping pace with these more sophisticated and highly motivated attacks demands that organisations adopt a dynamic, nimble security strategy that builds resilience from the inside out – versus only focusing on the perimeter – with an industry-specific approach that protects the entire value chain, end-to-end.”

Security technology spending out of balance

Of the nine security technologies evaluated, the highest percentage spend was on advanced perimeter controls, yet companies deploying these security solutions only realised an operational cost savings of $1 million associated with identifying and remediating cyber attacks, suggesting possible inefficiencies in the allocation of resources.

Among the most effective categories in reducing losses from cyber crime are security intelligence systems, defined as tools that ingest intelligence from various sources that help companies identify and prioritise internal and external threats.

They delivered substantial cost savings of $2.8 million, higher than all other technology types included in this study.

Automation, orchestration and machine learning technologies were only deployed by 28% of organisations – the lowest of the technologies surveyed – yet provided the third highest cost savings for security technologies overall at $2.2 million.

Financial consequences of cyber attacks are surging

Researchers considered four main impacts on organisations that suffered a cyber attack: business disruption, loss of information, loss of revenue and damage to equipment.

The most damaging of those today is loss of information, mentioned by 43% of organisations represented in the study.

In contrast, the cost of business disruption, such as business process failures following an attack, has decreased from 39% in 2015 to 33% in this year’s research.
 
“The foundation of a strong and effective security program is to identify and ‘harden’ the most-high value assets,” says Ponemon Institute chairman and founder Dr Larry Ponemon.

“While steady progress has been made in improving cyber defence, a better understanding of the cost of cyber crime could help businesses bridge the gap between their own vulnerabilities and the escalating creativity – and numbers – of threat actors.”  

Costs per organisation vary widely by country and type of cyber attack

Australia reports the lowest total average cost from a cyber attack at $5.41 million, while the United Kingdom had the lowest change over the last year from $7.21 million to $8.74 million.

Japan experienced a 22% increase in costs to $10.45 million – the third highest increase of the countries in the survey.

Costs also vary considerably by the type of cyber attack.

US companies are spending more to resolve all types of cyber attacks, especially for malware and Web-based attacks ($3.82 million and $3.40 million per incident, respectively).

For companies in Germany and Australia, 23% of total annual cyber incident costs are due to malware attacks.

In France, 20% of the total cyber crime annual costs are attributed to Web-based attacks.

Denial of service attacks accounted for 15% of total cyber crime annual costs in both Germany and the United Kingdom. 

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.