External Cyber Attacks Cost the Average Enterprise $3.5 Million a Year

According to the results of a recent survey of 591 IT and IT security practitioners, companies experience an average of more than one cyber attack per month, and incur annual costs of approximately $3.5 million as a result of those attacks.

The survey, sponsored by BrandProtect and conducted by the Ponemon Institute, also found that fully 79 percent of respondents said they lack comprehensive strategies to identify and mitigate those attacks — 38 percent described such strategies as non-existent, 23 percent called them ad hoc, and 18 percent said they’re inconsistently applied throughout the enterprise.

While 59 percent of respondents said the protection of intellectual property from external threats is essential or very important to the sustainability of their companies, 64 percent of security leaders said they lack the tools and resources required to monitor, 62 percent lack the tools and resources required to analyze and understand, and 68 percent lack the tools and resources required to mitigate external threats.

“The majority of security leaders understand that these external Internet threats imperil business continuity,” Ponemon Research Institute president Larry Ponemon said in a statement. “The study highlights a gap in defenses against threats that have proven to be extremely effective for cyber criminals and costly for enterprises.”

“As external threats explode in both frequency and sophistication, forward-leaning security teams are actively prioritizing external threat detection, intelligence and mitigation in their objectives,” BrandProtect CEO Roberto Drassinower said in a statement.

Key areas to focus on in gaining intelligence about external threats, according to respondents, include mobile app monitoring (62 percent), social engineering and organizational reconnaissance (61 percent), branded exploits (59 percent), spear-phishing infrastructure (58 percent), and executive and high value threats (54 percent).

A separate Mimecast survey of 436 IT experts at organizations in the U.S., U.K., South Africa and Australia found that 58 percent of respondents have seen in an increase in untargeted phishing emails, 65 percent have seen an increase in targeted phishing emails, and 67 percent have seen a spike in whaling attacks

Still, 64 percent of respondents have no cyber insurance, and 45 percent of companies with cyber insurance don’t know if their policy is up to date for covering new social engineering attacks.

“Cyber insurance uptake is growing quickly, but a lack of employee training on the latest email attacks is leaving organizations at great risk of breaking policy terms,” Mimecast director of security product management Steven Malone said in a statement.

“With the cybersecurity landscape constantly evolving, cyber insurers will have great difficulty keeping their coverage up to date,” Malone added. “A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail-safes.”

A recent eSecurity Planet article offered advice on conducting internal penetration testing.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles