As hackers continue to evolve their methods, cyber attacks are becoming more frequent and more costly, according to the Ponemon Institute’s new 2012 Cost of Cyber Crime Study.
The 56 organizations studied experienced 102 successful cyber attacks per week — an average of 1.8 successful attacks per week for each company. That’s an increase of 44% compared to last year’s study — and double the rate of attack seen in 2010.
On average, the companies studied lost $8.9 million per year due to cyber crime, up from $8.4 million in 2011. One note: The study only included organizations with 1,000 or more users — smaller companies would likely have experienced fewer losses.
Many factors add to the costs of a cyber attack, the biggest being the loss of important information and disruption to business operations, as well the costs of detecting and recovering from the attack.
Some attacks do more damage than others, though. Here the nine costliest types of cyber attack, according to Ponemon:
- Malicious code (accounted for 26% of the total costs of cyber crime in the past year)
- Denial of services (20%)
- Web-based attacks (12%)
- Stolen devices (12%)
- Malicious insiders (8%)
- Phishing and social engineering (7%)
- Viruses, worms and trojans (7%)
- Botnets (4%)
- Malware (4%)
Some of the cyber attacks appeared low on that list because they occur less frequently, even though each incident is highly costly. For example, attacks from malicious insiders were the second most costly cyber attack per incident, causing an average of $166,251 in damage for each data breach.
How IT can lower the cost of cyber attacks
While it’s unlikely businesses will be able to avoid cyber attacks altogether, there are steps IT can take to lessen the cost of an attack. In addition to protecting against the most costly threats, one way to minimize the damage: Discover and resolve cyber attacks quickly.
On average, the cyber attacks studied cost companies $24,475 per day, so resolving issues sooner can save a lot of money. Monitoring network traffic can help IT find suspicious activity and prevent on-going attacks that create a lot of damage.
The study also found that certain activities can reduce the cost of cyber attacks — but some strategies had more of an impact than others. These steps led to the biggest cost savings, according to Ponemon:
- Obtaining sufficient budgeted resources (organizations that did that saved an average of $2.1 million)
- Appointing a CISO or other high-level security officer ($1.8 million)
- Employing certified security personnel ($1.5 million)
- Using security metrics extensively ($940,000)
- Obtaining certifications based on industry-leading standards ($650,000)
- Forming a senior-level security council ($590,00)
- Conducting substantial security and awareness training ($100,000)
Similarly, some investments in IT security technologies paid off more than others. These were the tools that paid off the most for the businesses in the study:
- Security intelligence systems (average savings of $1.7 million)
- Access governance tools ($1.6 million)
- Enterprise governance, risk and compliance (GRC) tools ($1.4 million)
- Data loss prevention tools ($870,000)
- Encryption technologies ($850,000)
- Firewalls and perimeter controls ($650,000)
- Automated policy management tools ($350,000)