Average firms now pay about $8.9 million to detect, respond to and recover from cyber-attacks, an annual study finds.
The average annual cost of cybercrime jumped 6 percent to $8.9 million in 2012, driven up by denial-of-service, malicious insiders and attacks on Websites, according to an Oct. 8 study released by the Ponemon Institute.
Companies suffered a large number of incidents every week, averaging 1.8 successful attacks each week. Every firm surveyed suffered a virus, worm or trojan attack, while 97 percent had to deal with other malware and 71 percent encountered a computer that had been compromised to become part of a botnet. Information loss and business disruption accounted for the greatest damage suffered by companies.
Attacks have become both harder to detect and harder to clean up, said Larry Ponemon, chairman and founder of the Ponemon Institute.
"Stealth is definitely a factor, but they are also more complex," said Ponemon. "You think everything is cleaned up and then you find out the very next day that there is something still in your system."
The study, which was sponsored by Hewlett-Packard, also found that companies focused on security intelligence—focusing on detecting attacks early—reduced the costs of cybercrime the greatest, nearly $1.7 million on average. Technologies such as security information and event management (SIEM) and intrusion prevention systems were included in the category. Companies with access governance tools and systems required by compliance saved $1.6 million and $1.5 million, respectively. The savings were not additive, said Ponemon.
Moreover, there is no way to get damages to fall to zero.
"If you if you do all the right things, you are not going to be in a failsafe position," said Ponemon.
As in past years, detecting attacks and recovering from attacks were the most costly internal activities for companies in response to a cyber attack. Resolving cyber attacks early is the most important factor in cost, with the average cyber-attack taking 24 days to resolve in 2012, versus 18 days the previous year.
There are differences in costs depending on the company's nationality. While U.S. firms, at $8.9 million, suffered the most annual damage from cybercrime, German companies came in a distant second at $6 million and U.K. firms third at $5.2 million. There were also differences in which aspects of cybercrime costs figured most heavily: Germany companies paid the most for detecting cyber-attacks, which U.K. and Australia firms paid the most for recovery.
This was the first time the Ponemon Institute conducted the study in other nations. It surveyed firms in Australia, Germany, Japan and the United Kingdom.
Measuring the cost of cybercrime is a difficult, and controversial, endeavor. In a 2012 paper presented at the Workshop on the Economics of Information Security, a team of eight researchers from across academia and industry found that cybercrime is expensive compared to the cost spent on investigating and catching online criminals.
"We are extremely inefficient at fighting cybercrime; or to put it another way, cyber-crooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society," the report stated, concluding: "We should certainly spend an awful lot more on catching and punishing the perpetrators."