Canadian Underwriter

Cybercrime drains US$11.7 million per business annually, up 62% in five years, study finds

September 29, 2017   by Canadian Underwriter

Print this page Share

The average cost of cybercrime globally climbed to US$11.7 million per organization, a 23% increase from US$9.5 million reported in 2016, according to new research from Accenture and the Ponemon Institute.

The year-over-year increase also represents a “staggering” 62% increase in the last five years, global professional services company Accenture said in a press release earlier this week. Companies in the United States incurred the highest total average cost at US$21.22 million, while Germany experienced the most significant increase in total cybercrime costs – from US$7.84 million to US$11.5 million.

The Cost of Cyber Crime Study, now in its eighth year, surveyed 2,182 security and IT professionals in 254 organizations in seven countries – Australia, France, Germany, Italy, Japan, United Kingdom and the U.S. The study was conducted by the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, on behalf of Accenture.

The release noted that the study analyzes a variety of costs associated with cyberattacks to IT infrastructure, economic espionage, business disruption, ex-filtration of intellectual property and revenue losses. It represents the annualized cost of all cybercrime events and exploits experienced over a one-year period, including costs to detect, recover, investigate and manage the incident response. Also covered are costs that result in after-the-fact activities and efforts to contain additional expenses from business disruption and the loss of customers.

Key findings of the study include:

  • On average, a company suffers 130 breaches per year, a 27.4% increase over 2016 and almost double what it was five years ago. Breaches are defined as core network or enterprise system infiltrations;
  • Companies in the financial services and energy sectors are the worst hit, with an average annual cost of US$18.28 million and US$17.20 million, respectively;
  • The time to resolve issues is showing similar increases. Among the most time-consuming incidents are those involving malicious insiders, which take on average 50 days to mitigate, while ransomware takes an average of more than 23 days; and
  • Malware and web-based attacks are the two most costly attack types, with companies spending an average of US$2.4 million and US$2 million, respectively.

“The costly and devastating consequences businesses are suffering, as a result of cybercrime, highlights the growing importance of strategically planning and closely monitoring security investments,” said Kelly Bissell, managing director of Accenture Security, in the release. “As this research shows, making wise investments in innovation can certainly help make a significant difference when cybercriminals strike. Keeping pace with these more sophisticated and highly motivated attacks demands that organizations adopt a dynamic, nimble security strategy that builds resilience from the inside out – versus only focusing on the perimeter – with an industry-specific approach that protects the entire value chain, end-to-end.”

Of the nine security technologies evaluated in the study, the highest percentage spend was on advanced perimeter controls, yet companies deploying these security solutions only realized an operational cost savings of US$1 million associated with identifying and remediating cyberattacks, suggesting possible inefficiencies in the allocation of resources. Among the most effective categories in reducing losses from cybercrime are security intelligence systems, defined as tools that ingest intelligence from various sources that help companies identify and prioritize internal and external threats. They delivered substantial cost savings of US$2.8 million, higher than all other technology types included in the study, Accenture said in the release. Automation, orchestration and machine learning technologies were only deployed by 28% of organizations – the lowest of the technologies surveyed – yet provided the third highest cost savings for security technologies overall at US$2.2 million.

Researchers also considered four main impacts on organizations that suffered a cyberattack: business disruption, loss of information, loss of revenue and damage to equipment. The most damaging of those today is loss of information, mentioned by 43% of organizations represented in the study. In contrast, the cost of business disruption, such as business process failures following an attack, has decreased from 39% in 2015 to 33% in this year’s research.

“The foundation of a strong and effective security program is to identify and ‘harden’ the most-high value assets,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “While steady progress has been made in improving cyber defense, a better understanding of the cost of cybercrime could help businesses bridge the gap between their own vulnerabilities and the escalating creativity – and numbers – of threat actors.”

By country, Australia reported the lowest total average cost from a cyberattack at US$5.41 million, while the U.K. had the lowest change over the last year from US$7.21 million to US$8.74 million. Japan experienced a 22% increase in costs to US$10.45 million – the third highest increase of the countries in the survey.

Costs also vary considerably by type of cyberattack, Accenture reported. U.S. companies are spending more to resolve all types of cyber attacks, especially for malware and web-based attacks (US$3.82 million and US$3.40 million per incident, respectively). For companies in Germany and Australia, 23% of total annual cyber incident costs are due to malware attacks. In France, 20% of the total cybercrime annual costs are attributed to web-based attacks. Denial of service attacks account for 15% of total cybercrime annual costs in both Germany and the U.K.