Cybercrime Getting More Common and Costly
Cybercrime doesn’t pay. In fact, according to the “2013 Cost of Cybercrime Study: United States” [PDF], for larger-sized companies in the U.S., the average annualized cost of fighting online bad guys is $11.56 million per year.
The study is the fourth edition of an annual report conducted by the Ponemon Institute, a data privacy and protection think tank, and sponsored by HP Enterprise Security. The researchers found that the average price tag for fighting cybercrime at 60 larger-sized U.S. organizations in various industry sectors ranged from $1.3 million to $58 million per year. “In general, what we’ve found over the last four years is the cost has increased pretty steadily,” Larry Ponemon, chairman and founder of the Ponemon Institute, told CorpCounsel.com. In the 2012 report, the average annualized cost of cybercrime was $8.9 million per year.
However, Ponemon explained, the actual costs of cybercrime could be much higher than the calculations in the study. “We’re only looking at the cost companies incur to respond and ultimately defend against cyberattacks,” he said. The report does not monetize the value of the information lost in attacks or the resulting damage to a company's reputation.
In addition to taking more out of companies' wallets, the number of digital attacks appears to be growing as well—up 18 percent from last year's survey. The study indicated that the most costly attacks measured were denial of service, malicious insider, and web-based attacks, which accounted for more than 55 percent of cybercrime costs per organization annually.
Ponemon said that a lot of companies are falling prey to increasingly sophisticated and targeted attacks, like “spear-phishing,” in which cybercriminals send personalized emails to employees of a company. These criminals may participate in "social engineering," the gathering of personal information about employees off social media pages, in order to better target them in a phishing attack or another type of cyberattack. Another expensive and increasingly prevalent kind of cybercrime is committed by malicious insiders colluding with cybercriminals outside the company: "They know what they want, they're not just going in and stealing everything they can get their hands on," said Ponemon.
Throughout all four years the institute has done cybercrime cost studies, certain industries have proven to spend the most on protection and response. Financial services companies are consistently shelling out a great deal of money for cybersecurity, Ponemon explained, because cybercriminals are often out to "generate some quick cash" and like to target financial information. Other sectors where security is costly are defense and pharmaceutical companies, or other areas that have valuable intellectual property. Retail, consumer products, and hospitality companies tend to spend somewhat less.
Companies can take away many lessons from the study—but one of the most important, Ponemon said, is that investments in cyberprotection upfront will pay off down the road when cybercrime strikes. “A strong security defense is the best way to reduce costs,” he said.
Then of course, Ponemon added, there is the human factor: Cybersecurity is not just a technology problem, but a people problem too, particularly when companies fail to educate their employees about security risks. “A lot of companies, they’ll talk a good game about what they do but they don’t train,” he said.