With a seemingly endless stream of breaches reported over the course of the past year, it should come as no surprise that costs associated with cyber-crime are on the rise. The annual Ponemon Institute 2015 Cost of Cyber Crime Study, sponsored by Hewlett-Packard, came out Oct. 6, reporting that in the United States the average annualized cost of cyber-crime is now $15 million, up 19 percent over the 2014 report.
The Cost of Cyber Crime Study also examined global costs, which are not as high on average as those in the U.S. For the 2015 study, the global average annualized cost of cyber-crime is $7.7 million for a 1.9 percent year-over-year increase. The global study methodology examined 252 companies across seven countries, with 1,928 attacks used to measure the total cost. Specifically in the U.S., the study looked at 58 companies, with 638 cyber-attacks used to measure the total cost.
"We were surprised by the consistent increase in the cost of cyber-crime over just one year in all countries," Larry Ponemon, chairman and founder of the Ponemon Institute, told eWEEK. "We believe this is due to the increased sophistication and stealth of cyber-attacks."
Ponemon added that what is happening is that instead of it getting easier for organizations to contain and remediate attacks, it is getting harder and is affecting the average cost. Additionally, he noted that there is also more sensitive and confidential information to protect and more disruptive technologies in the workforce.
"On a positive note, we are seeing steps companies can take to address the increase in cost such as deploying security intelligence systems and having internal security expertise," Ponemon said.
In terms of specific security technologies that can help organizations lower cyber-crime costs, Ponemon found that security information and event management (SIEM) use leads to an average cost savings of $3.7 million per year.
Looking at what drives up cost, Ponemon said one factor is the time it takes to resolve a cyber-attack. In the U.S., it now takes on average 46 days for an organization to remediate a cyber-attack, up by a day from the 45 days reported in 2014. Ponemon said that typically a cyber-crime will cost more the longer it takes to resolve. In the U.S., the average number of days to resolve an attack is 46, with an average per-day cost of $43,327.
"Certain attacks take longer to resolve and as a result are more costly," Ponemon said. "While malicious insiders and malicious code are less frequent than viruses, malware and botnets, we find that they take much longer to resolve."
For example, malicious code takes an average of 63 days to remediate, whereas malware can take about a week and viruses just a few days, he said.
"It is hard to predict what will drive the cost of cyber-crime in the future," Ponemon said. "However, we do believe health insurance companies are a target because of the rich personal and sensitive data they have."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.