Cyber-crime Costs Enterprises $3.8 Million a Year, Report Finds

A new report from the Ponemon Institute analyzing cyber- attacks against 45 companies cost the businesses an average of $3.8 million. That amount can be cut with good governance and strong leadership, according the report.

A new report on the economic impact of cyber-crime found the average organization is paying a pretty penny, but that price can be cut through good governance.

According to the report, which was prepared by the Ponemon Institute and commissioned by ArcSight, the average cost of cyber-attacks at the 45 organizations that were analyzed was $3.8 million per year.

The study covered organizations with 500 or more seats, and was conducted during a five-month period ending June 23. Among its findings: It took an average of 14 days to resolve a cyber-attack, with an average cost of $17,696 a day. Malicious insider attacks can take up to 42 days or more to resolve, the report found. They are also the second most expensive incidents to handle, costing an average of $100,300 a day. The most expensive are Web-based attacks, which came in at $143,209 per day.

On an annualized basis, detection and recovery account for a combined 46 percent of the total internal activity cost, with labor representing the majority of the price tag. Ex-post response (i.e., after the fact response, or remediation) is the third most expensive piece at 19 percent. Nine percent is spent on the containment of the cyber-crime incident, representing the lowest internal activity cost, according to the report.

"The reason why some attacks differ in cost is the relative difficulty in properly finding the attack [stealth] and ensuring that it is properly fixed," said Larry Ponemon, chairman of the Ponemon Institute. "For instance, malicious code issues are harder to find and resolve than botnets and malware. Hence, more resources are expended fixing software versus eliminating a virus with a known signature."

As in the past, the institute found that strong leadership at the time an incident occurs can make the difference between wasted money and getting the job done.

"Known governance practices in our paper refer to three activities: appointment of one senior level leader with overall responsibility for security; implementation of a strategic plan for security, data protection and privacy-related issues; and adherence to a rigorous objective standard such as ISO, NIST or others," Ponemon noted.