Cyber Attack Cost Rises Again For Breached Organisations

For companies that get breached by a cyber attack, the cost can be heavy and it is only getting worse, a study from the Ponemon Institute has suggested.

Looking across 234 companies in six countries that had experienced cyber crime, the average annualised cost for each organisation stood at $7.2 million (£4.5 million), although there was a range of $375,387 to $58 million. Nevertheless, this represented a sharp 30 percent jump from the same Ponemon study of last year.

The UK was below the average, with $4.72 million, compared to $11.56 million in the US and $7.56 million in Germany, according to the HP-sponsored report. This is the average amongst those who experienced attacks, not across all companies.

Cyber attacks costly

Malicious insiders appear to be causing the most trouble, with each event costing an average of $154,000.

That cost is calculated from a number of factors, from detection, investigation and containment to data loss, business disruption and equipment damage.

Each surveyed company was successfully penetrated by a cyber attack 1.4 times a week, whilst smaller businesses were seeing more cost per seat than larger organisations.

According to Dr Larry Ponemon (pictured), chairman and founder of the eponymous institute, one big problem is that IT teams are spending on the wrong technologies.

The research found the network received the most spend, even though security intelligence systems appeared to bring the biggest rewards. The application layer, which many agree is the most attacked, only receives an average of 16 percent of the security budget, compared to 35 percent on the network, the study suggested.

Those using security intelligence systems were said to enjoy average cost savings of nearly $2 million when compared to those who didn’t.

Ponemon thinks this dichotomy could be explained by laziness within IT teams. “There may be a mentality that if I don’t know about it, it’s not a problem,” he told TechWeekEurope. “People in security get locked into what they’re doing.”

He also admitted that carrying out such research was difficult, given many organisations don’t tell the truth when it comes to revealing the cost of cyber crime.

Ponemon was shocked to find one case where a company thought it had seen great benefits by reducing its number of infected endpoints from five percent to one percent. Just one infected machine is enough to cause businesses problems, he noted.

As for previous studies on cost, including a Detica claim that the cost of cyber crime to Britain was £27 billion and a McAfee assertion that the global cost was $1 trillion, Ponemon said he had no idea how they reached those high figures. Those studies appeared to be based on bad mathematics, he added.

The Ponemon study does not take into account all those organisations who do not see cyber attacks on their infrastructure.

Are you a security expert? Try our quiz!