ArcSight and the Ponemon Institute announced the results of the First Annual Cost of Cyber Crime Study (registration required). Over a four-week period, the 45 organizations surveyed in the study experienced 50 successful attacks per week, or more than one successful attack per organization per week. This resulted in a median annualized cost of $3.8 million per organization per year, with costs for the complete benchmark sample ranging from $1 million to nearly $52 million.
The study focused on the direct, indirect and opportunity costs that resulted from loss or theft of information, disruption to business operations, revenue loss and destruction of property. These costs included what was spent on the detection, investigation, containment, recovery and post-act response.
Key findings of the study include:
- The most costly cyber crimes are those caused by web attacks, malicious code and malicious insiders, which account for more than 90% of all cyber crime costs per organization on an annual basis
- Cyber attacks can be costly if not resolved quickly. In the sample, malicious insider attacks took up to 42 days or more to resolve, with the average cost to an organization of nearly $18,000 per day
- Detection and recovery are the most costly internal activities. On an annualized basis, detection and recovery combined account for 46% of the total internal activity cost, with labor representing the majority of these costs
- Detection and recovery costs from cyber attacks can be mitigated by deploying enabling technologies such as SIEM and enterprise threat and risk management (ETRM) solutions. For example, participating companies that had deployed a SIEM system achieved a 24% cost savings when dealing with cyber attacks versus those that had not.
“Every corporation is vulnerable to thousands of cyber attacks that occur daily across all industries, causing information theft, disruption to business operations and serious financial loss,” said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute. “Through actions such as the appointment of a chief information security officer (CISO), the rollout of an enterprise security strategy, and investments in technologies capable of addressing sophisticated threats and managing complex security events, companies are able to reduce the financial impact of cyber crime.”