A new report from the Ponemon Institute analyzing cyber- attacks against 45 companies cost the businesses an average of $3.8 million. That amount can be cut with good governance and strong leadership, according the report.
A new report on the economic impact of cyber-crime found the average
organization is paying a pretty penny, but that price can be cut
through good governance.
According to the report, which was prepared by the Ponemon Institute and
commissioned by ArcSight, the average
cost of cyber-attacks
at the 45 organizations that were analyzed was $3.8
million per year.
The study covered organizations with 500 or more seats, and was conducted
during a five-month period ending June 23. Among its findings: It took an
average of 14 days to resolve a cyber-attack, with an average cost of $17,696 a
day. Malicious insider attacks can take up to 42 days or more to resolve, the
report found. They are also the second most expensive incidents to handle,
costing an average of $100,300 a day. The most expensive are Web-based attacks,
which came in at $143,209 per day.
On an annualized basis, detection
and recovery account
for a combined 46 percent of the total internal
activity cost, with labor representing the majority of the price tag. Ex-post
response (i.e., after the fact response, or remediation) is the third most
expensive piece at 19 percent. Nine percent is spent on the containment of the
cyber-crime incident, representing the lowest internal activity cost, according
to the report.
"The reason why some attacks differ in cost is the relative difficulty
in properly finding the attack [stealth] and ensuring that it is properly
fixed," said Larry Ponemon, chairman of the Ponemon Institute. "For
instance, malicious code issues are harder to find and resolve than botnets and
malware. Hence, more resources are expended fixing software versus
eliminating a virus with a known signature."
As in the past, the institute found that strong leadership at the time an
incident occurs can make the difference between wasted money and getting the
"Known governance practices in our paper refer to three
activities: appointment of one senior level leader with overall
responsibility for security; implementation of a strategic plan for security,
data protection and privacy-related issues; and adherence to a rigorous
objective standard such as ISO, NIST or
others," Ponemon noted.