New research conducted by the Ponemon Institute on behalf of technology giant Hewlett-Packard suggests that the financial liability increased approximately 56 percent during the past 12 months. Considering all the activity of late with respect to hack-attacks and other malicious cybersecurity incidents, this is a number worth noting.
The data suggests that the median annual cost of cybercrime was $5.9 million per company per year; the costs ranged from $1.5 million to $36.5 million per company depending on the severity of cyberattacks. That amount focuses specifically on recovery and detection activities, which suggests a need for businesses — indeed for organizations of all types — to continue automating prevention, protection and other security mitigation activities. Let’s be clear, some of that money is for solutions focused on detection, not all of it was spent on the cleanup. But the trend is clear: criminals and people who have nothing better to do with their time are costing your organization more money.
The biggest point to take away from the research may be the following: most organizations thwart cyberattacks every week. It is the successful ones that you read about. The study found that during a four-week period in the past year, organizations surveyed by Ponemon suffered 72 successful attacks per week. Considering that the benchmark group included 50 companies, that is one scary statistic.
The quicker a cyberattack resolved, the better, although that doesn’t seem to happen all that often. The data found that the average time to resolve an attack was 18 days, which seems an utter lifetime in the Internet age. The average cost to resolve those attacks was $416,000, which was up from $250,000 in a similar study that Ponemon conducted on HP’s behalf one year ago.
Increasingly, the imperative for better security policy seems to be this: it is better to be proactive, rather than reactive. That suggests businesses should be heightening their focus on policies that better engrain security mindsets into the typical network administration discipline. Those two job functions are still much too separate.
The other factor that should receive more attention is the extent to which your organization might be able to automate not just detection, but the response to an incident. That way, attacks could be blocked earlier in the process, minimizing the potential damage. The downside to that strategy, of course, is the idea that it could sap productivity by misinterpreting certain activity. Then again, who do you think is likely to be more sympathetic: an employee who was inconvenienced for a few hours on a weekend or because his or her access controls weren’t correct, or a shareholder who is wondering why your organization is playing close to $6 million to patch up after a cyberattack.