By Ellen Fussell Policastro
How much money does your company spend on cyber crimes each year? Or a better question might be: How much do you need to spend, and how do you get that message across to management?
Larry Ponemon, head of Traverse City, MI-based Ponemon Institute, hosted a webinar Tuesday to help answer those questions with results of the 4th Annual Cost of Cyber Crime Study, sponsored by HP Enterprise Security.
While Ponemon also conducted a study of 234 companies from six participating countries (United States, United Kingdom, Australia, Germany, France and Japan) he focused on the separate U.S. study of 60 U.S. participating companies with a global footprint because “the U.S. spends more money on cyber crime.”
“Our purpose in conducting the study was to understand the economic impact cyber attacks have on organizations and compare trends over time,” Ponemon said. And let’s face it, “if you’re trying to communicate the need for investing in security to non-IT, C-level executives, you have to talk in terms of return on investment.”
The average annualized cost for cyber crime among the 60 U.S. companies is $11.6 million per year. “That’s $1.3 million on the low end and $58 million on the high end,” Ponemon said. In 2012, the average annualized cost was $8.9 million. “This represents a 26 percent increase or $2.6 million from our cost study last year. Is that a trend? It’s possible things are becoming worse because the bad guys are getting better,” he said. “They’re getting smarter and harder to detect — using tools that didn’t exist a couple of years ago.”
Just how rare is cyber crime? Based on empirical data, “it is not rare because most companies in our study experienced one or more successful cyber attacks,” he said. “It seems like sometimes organizations are just unlucky. They are hit by the bad guy du jour, who does damage that is more costly than other crimes,” he said. “Then there are the more persistent threats that stay in your system forever – like a persistent stomach ache.”
Data Reflects Ranges
The important thing to remember when looking at cyber-crime data is to think of it as a range of possibilities instead of a point estimate. “From a range of possibilities, we construct a confidence interval,” Ponemon said. For instance, “when you’re looking at costs by enterprise seat, it becomes more expensive as the organization grows. But it’s not perfectly linear, and looking at size alone doesn’t tell the whole story. When comparing smaller- and larger-sized companies, the cost mix for specific cyber attacks varies by organizational size. Larger companies experience a higher proportion of costs relating to malicious code, denial of service, malicious insiders and web-based attacks. Smaller companies actually experience a higher proportion of cyber crime related to viruses, worms, Trojans, phishing, stolen devices, malware, and botnets. So cyber crime is expensive irrespective of organizational size.
Industries spending the most money start with defense, followed by energy/utilities and financial services.
When breaking down the types of crime organizations are dealing with, Ponemon said all 60 U.S. companies had at least one virus/worm/Trojan, and 97 percent had malware, followed by botnets, web-based attacks, denial of service, and malicious code.
Malicious Code Most Expensive
The most costly cyber crimes are those caused by malicious code, denial of service, and web-based attacks. Yet when looking at attack frequency, denial of service is the winner. To mitigate these attacks companies need to invest in technologies such as security information and event management (SIEM), intrusion prevention systems, application security testing and enterprise governance, and risk management and compliance solutions.
The longer it takes to resolve an attack, the more costly it is. Malicious insider attacks took the longest to resolve (66 days), followed by malicious code, web-based attacks, denial of service, phishing, stolen devices, malware, viruses/worms/Trojans, and finally, botnets.
Nearly 45 percent of external losses include information loss, followed by business disruption, revenue loss, and equipment damages. “We’d also like to manage reputation and brand-impact loss,” Ponemon said. “Interestingly, other countries do not incur as much expense for business disruption. This could be in part the fact that ignorance is bliss. In the U.S. we have tools to let us know we’ve lost data.”
Technology Spending Helps
Most companies are spending up to 40 percent on the network layer, followed by the data layer at 17 percent, and application layer at 15 percent. But experts say companies should be looking more at the application layer.
Other costs in technology to avert cyber crime include costs for advanced perimeter controls, firewall technologies, next generation firewalls, security intelligence systems, unified threat management (UTM), and encryption.
Companies using security intelligence systems are saving the most – nearly $4 million per year. Others follow with use of access governance tools; enterprise deployment of governance, risk management, and compliance (GRC) tools; extensive use of data-loss prevention tools; advanced perimeter controls and firewall technologies; and extensive deployment of encryption technologies.
Ponemon warns all research has its limitations and may not apply to the population of all companies. “These are non-statistical results,” he said. “There are imperfections, but we still think the study is worth doing. Getting an accurate ROI on security is “ridiculous because the bad guy is constantly changing. They’re probably doing other things that haven’t been invented yet. We did the calculus because we realized we still live in a world where CEOs like ROI,” he said. “We assumed the worst-case scenario, or the most conservative ROI. So some of these are grossly understated. Even with that in mind, we get an incredible ROI with intelligence tools at 21 percent.”
The bottom line is this: If you have a strong security posture, you end up with savings — even without technology. But you need both.