Cybercrime Now Costs the Average U.S. Organization $15 Million Per Year

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

According to the results of the 2015 Ponemon Institute Cost of Cyber Crime Study, sponsored by HP Enterprise Security, the average annualized cost of cybercrime incurred by U.S. organizations is now $15 million.

That's a 20 percent increase over last year, and an 82 percent increase since the inception of the study six years ago.

The average time it takes to resolve a cyber attack has also increased to 46 days, a rise of almost 30 percent over the same six-year period.

The average cost incurred to resolve a single attack is now more than $1.9 million, a 22 percent increase from last year's average cost of approximately $1.5 million.

"As organizations increasingly invest in new technologies like mobile, cloud, and the Internet of Things, the attack surface for more sophisticated adversaries continues to expand," Sue Barsamian, senior vice president and general manager for enterprise security products at HP, said in a statement.

"To address this challenging dynamic, we must first understand the threats that pose the most risk and then prioritize the security strategies that can make a difference in minimizing the impact," Barsamian added.

The most costly cybercrimes, the study found, are caused by denial of service, malicious insiders, and malicious code. Information theft represents the highest external cost, followed by costs associated with business disruption.

Notably, the study found that investments in security technologies and personnel can make a huge difference.

Deploying a security information and event management (SIEM) solution leads to an average cost savings of $3.7 million per year, and employment of certified/expert security personnel can save $2.1 million.

Lastline founder and chief architect Dr. Engin Kirda told eSecurity Planet by email that the findings of the study aren't surprising. "Many attacks are still successful as some of the current, modern defenses we have (e.g., sandboxing) have not yet become mainstream," he said. "Unfortunately, the attackers have adapted and evolved faster than the organisations they are targeting."

And STEALTHbits channel marketing manager Jeff Hill noted by email that the report highlights the direct relationship between the time taken to detect a breach and its overall cost. "The longer the attack is active and undetected, the higher the cost to the organization," he said. "And which attacks are most difficult to discover? Malicious insiders, which take, on average, over 54 days to resolve, timeframes that dwarf conventional threats like malware (less than 6 days)."

"Whether it be a an actual disgruntled employee, or an external attacker compromising legitimate credentials, the most effective attacks -- and those most difficult to detect -- are the ones that abuse legitimate credentials," Hill added. "Detecting these 'authentication-based' attacks early is arguably the preeminent challenge facing security professionals today."

Earlier this year, the SANS 2015 Survey on Insider Threats found that 74 percent of IT security professionals are concerned about insider threats from negligent or malicious employees, and Vormetric's 2015 Insider Threat Report found that fully 93 percent of U.S. IT decision makers feel their organizations are somewhat or more vulnerable to insider threats.