Third annual study reconfirms security intelligence solutions mitigate impact, saving an average of $1.9 million annually per organisation
HP has unveiled the results from a third annual study conducted by the Ponemon Institute that documents the rising cost, frequency and time to resolve cyber-attacks in Australia.
Conducted by the Ponemon Institute and sponsored by HP Enterprise Security, the 2014 Cost of Cyber Crime Study1 found the average annual cost of cybercrime incurred by a benchmark sample of 30 organisations in Australia was $4.3 million, representing a 33 percent increase since the study was initiated three years ago.
According to the 2014 Cost of Cyber Crime Study, smaller organisations in Australia experienced a higher proportion of cybercrime costs relating to web-based attacks, malicious insiders, malware, viruses, worms, trojans and botnets. In contrast, larger organisations in Australia experienced a higher proportion of costs relating to denial of services, malicious code, phishing, social engineering and stolen devices.
Companies deploying security intelligence systems experienced a higher return on investment (ROI) at 23 percent, than all other technology categories. Advanced security intelligence tools such as Security Information and Event Management (SIEM) solutions, Intrusion Prevention Systems (IPS) with reputation feeds, network intelligence systems and big data analytics have helped companies detect and contain cyber-attacks to achieve a lower annual cost of cybercrime.
“Adversaries only need to be successful once to gain access to data, while businesses must be successful 100 percent of the time to stop the cascade of attacks their organisations face each day,” said Shane Bellos, general manager, Enterprise Security Products, HP Software, HP South Pacific. “No amount of investment can completely protect organisations from highly sophisticated cyber-attacks, but improving the organisation’s ability to disrupt the adversary at every step of the threat lifecycle will significantly improve attack containment and reduce the financial impact.”
Key findings from the 2014 Cost of Cyber Crime study include:
- Cybercrimes continue to be very costly: The average annual cost of cybercrime incurred was $4.3 million, with a range of $409,959 to $15.8 million; an increase of 8.4 percent over the average cost reported in 2013.
- Cybercrimes are intrusive and common: The 30 organisations from Australia in the study experienced 47 successful attacks per week, compared to 41 attacks per week when the study was initially conducted in 2012.
- Cybercrimes require more time to resolve: The average time to resolve a cyber-attack was 23 days, while the average cost incurred during this period was $276,323. Results show that malicious insider attacks take an average of 51 days to contain.
The most costly cybercrimes
- The most costly cybercrimes are those caused by denial of services, malicious insiders and malicious code. These account for more than 50 percent of all cybercrime costs per organisation on an annual basis.
- Business disruption continues to represent the highest external cost, followed by the costs associated with information loss. On an annual basis, business disruption accounts for 40 percent of total external costs (down 4 percent from last year), while costs associated with information and revenue loss account for 54 percent of external costs (the same as last year).
- Detection and recovery are the most costly internal activities. On an annual basis detection and recovery combined accounted for 53 percent of the total internal activity cost with productivity and direct labour representing the majority of these costs.
- Organisations in energy, utilities and financial services experience substantially higher cybercrime costs than organisations in hospitality, consumer products and retail.
Deployment of security intelligence solutions makes a difference
Organisations in Australia using security intelligence technologies were more efficient in detecting and containing cyber-attacks. For those having deployed a SIEM solution, the average cost savings were $1.9 million per year compared to companies not deploying security intelligence technologies. Organisations with technologies such as an Intrusion Prevention System (IPS) and Next-generation Firewall (NGFW) boasted a 21 percent ROI result.
“Executives should have a disaster recovery plan in place for IT breaches, just as they do for natural disasters,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Based on more than 2,000 interviews, the annual Cost of Cyber Crime research provides valuable insights into the costliness of different attacks to help businesses prepare the right protection and response strategies to minimise risk.”
In addition to the third annual study of organisations in Australia, Ponemon conducted cyber cost studies for organisations in France, Germany, Japan, the United Kingdom and the United States. A study of Russian companies was conducted for the first time this year. Of the countries surveyed, the U.S. sample reported the highest total average cost of cybercrime at $12.7 million, while the Russian sample reported the lowest, at $3.3 million. The global results are available in a separate report entitled, 2014 Global Report on the Cost of Cyber Crime.
Learn more about research findings
Findings from the 2014 Cost of Cyber Crime Study were presented via webcast. Details for the U.S. webinar can be found here and details for the APJ webinar can be found here.
Additional information about HP Enterprise Security Products is available at www.hpenterprisesecurity.com and HP Enterprise Security Services at www.hp.com/enterprise/security.
