Cyber-Crime Costs Rise at U.S., Worldwide Companies

An HP-sponsored Ponemon Institute study finds that the average annualized cost of cyber-crime per organization in the United States was $12.7 million.

cyber-attack costs

The cost of cyber-crime continues to rise in the United States and around the world, according to the 2014 Ponemon Institute study, sponsored by Hewlett-Packard.

According to the study, the annualized cost of cyber-crime per U.S organization in 2014 is $12.7 million, a 9.3 percent increase from the 2013 rate. In contrast, the annualized cost of cyber-crime per global company now stands at $7.6 million, a 10.4 percent year-over-year increase.

The total cost of cyber-crime is calculated using an activity-based costing model. Larry Ponemon, chairman and founder of the Ponemon Institute, explained to eWEEK that to calculate the total global average cost of $7.6 million, his organization looked at the internal activities companies engage in to deal with a cyber-attack and the external consequences of the attack.

Ponemon noted that detection and recovery represent 53 percent of internal activities. Business disruption is an external consequence of an attack and represents 38 percent of the total external cost.

While costs are rising, that wasn't the most surprising finding, according to Ponemon. It was most surprising to see that it takes an average of 31 days to resolve a cyber-attack, costing an average of more than $20,000 per day.

"To know that an adversary could invade your system and make such a financial impact is alarming, and only seems to be happening more frequently," Ponemon said. "The ability for adversaries to remain under the radar means that they can invade your system even further, incurring more damage and making it more difficult to eliminate the attack completely."

The study also found an overall increase in the volume of cyber-attacks with an average of 138 attacks a week in 2014, up from an average of only 50 in 2010, when Ponemon first conducted the cost of cyber-crime study.

Over the course of 2014, the retail sector has been in the news with multiple reported breaches. Large retailers—including Target, Home Depot and Kmart—have all reported breaches over the last 12 months. Target has publicly disclosed that its breach-related costs are estimated at $148 million. Home Depot has estimated that its breach-related costs will come in at $62 million. The costs for the companies in the Ponemon report are somewhat different from what Target and Home Depot have publicly disclosed.

Ponemon said 9 percent of the 257 companies represented in the global report were in the retail sector.

"The average cost for these companies to deal with a cyber-attack was $3.3 million, but we notice rapid growth in this sector, especially in the U.S," Ponemon said. "We anticipate this will continue in 2015."

From a technology perspective, those organizations that have deployed security intelligence tools were found to be more efficient at dealing with cyber-attacks. Those tools include the use of security information and event management (SIEM), intrusion prevention systems (IPSes) and big data analytics tools.

"The chief distinguishing characteristic of security intelligence systems is that they create visibility into what is happening with an organization's network and network traffic," Ponemon said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.