Cyber-Crime Costs Continue to Rise: Study

The bad news is in: The cost of cyber-crime in 2013 is actually going up despite projections last year that it might level off in the future.

“The bad news is that companies across different industries are experiencing a fairly substantial cost of cyber-crime,” Larry Ponemon, chairman and founder of the Ponemon Institute told eWEEK.

According to the 2013 Cost of Cyber-Crime Study, conducted by the Ponemon Institute and sponsored by Hewlett-Packard, the annual cost of cyber-crime in the U.S. now stands at $11.56 million per organization. The 2013 figure is an increase of 26 percent from the $8.9 million Ponemon reported in 2012.

As to why costs are rising, Ponemon noted that a number of factors are at play. One of them is the fact that security professionals continue to command higher salaries. Fundamentally though, the higher costs are due to the increased frequency and complexity of more stealthy attacks hitting enterprises.

Helping to fuel the increase in cyber-crime costs is an increase in attack volume. U.S. organizations now suffer from an average of 122 attacks a week, a sharp increase from the 102 attacks per week reported for 2012.

Adding to the cost, as well, is the fact that it is now taking organizations more time to respond to attacks than in prior years. According to the 2013 report, it now takes 32 days on average to resolve a cyber-attack, up from 24 days in 2012. As to why the response time has gone up, Ponemon suspects that the root cause is increased attack complexity.

“Four years ago, malware was a problem, but it wasn’t the most sophisticated piece of software,” Ponemon said. “There are now more persistent and targeted attacks, and that is increasing the time it takes to recover.”

A longer response-recovery time, however, isn’t always necessarily a bad thing. There is a heightened sensitivity in the market now for legal and compliance issues, and as such, Ponemon suspects that some organizations might be taking more time just to make sure they are doing things properly.

“Costs are typically viewed as being negative for a company, but costs also reflect that companies are taking more steps,” Ponemon said. “We have noticed around discovery and detection that companies are incurring more cost because they are spending more time to do more thorough forensic analysis.”

Tools

Spending money on cyber-crime is also about investing in tools. Ponemon noted that security intelligence tools can be effective in helping reduce the cost of cyber-crime. On average, the study found that the return on investment (ROI) was 21 percent for organizations that use security intelligence tools.

Why has Ponemon’s view changed since 2012, when he said he expected that the cost of cyber-crime would begin to level off in the future?

“I was wrong, costs aren’t going to go down, they will keep going up for a time,” Ponemon said. “All the evidence suggests that cyber-attacks are growing in sophistication.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.