Cybercrime and the Bottom Line

Thursday, February 10, 2011 @ 05:02 AM gHale

By Bob Felton
Cybercrime costs mid- to large-size companies an average of almost $4 million per year, and in some cases has ranged up to more than $50 million in a single year, according to a just-released study from the Ponemon Institute.

Additionally, the study found, roughly 90% of the cost of cybercrime arises from just 3 causes: “Web attacks, malicious code and malicious insiders.” Further, though the typical attack is fully resolved within 14-days, an attack by a knowledgeable insider may keep cleaning crews busy for as long as 42-days.

Nor are cybercrime attacks freak events: The researchers found that “The benchmark sample of 45 organizations experienced 50 discernible and successful cyber attacks per week, which translates to more than one successful attack per company per week.”

By a decisive margin, the greatest cost experienced by cybercrime victims is related to data theft, comprising 42% of the total. Next comes business disruption at 22%, and equipment damage and lost revenue at 13% each.

The most common mode of attack is viruses and worms, comprising 21% of all successful attacks. Malicious insider attacks run a close second with 19% of attacks, followed by Web-based attacks, malicious code, phishing, botnets, and malware. Botnets, sophisticated rings of distributed computers whose owners might not even know of their participation and a favorite of organized crime, launch a mere 8% of successful attacks.

Any company with an online presence, or which uses the Internet for other business purposes, is susceptible to attack; the distribution of attacks was a surprise however. The most frequent target? The defense sector, with annual company losses of more than $16 million. Energy runs a close second, with annual losses of $15.6-million, followed by financial services with annual losses of $12.4-million. Other industry sectors reported losses in the $5 million or less range.

The study upholds previous research in connection with defending systems against loss: The decisive difference is a security culture that embeds good practice throughout the organization.

The appointment of a CISO, the creation and rollout of an enterprise security strategy and adherence to a voluntary certification program (such as ISO) appear to lessen the total cost of cyber crime. Accordingly, 44 percent of companies have a fully dedicated information security leader or CISO. Forty-nine percent of companies have an enterprise strategy for information security, data protection, privacy and other related features. Forty-seven percent of companies voluntarily comply with a security certification body such as ISO, NIST or a comparable benchmark program.

Companies with a security culture exhibit losses due to cybercrime 24% less than companies without an embedded security culture.

Commenced in January of 2010, the Ponemon study aims to identify the actual cost of cybercrime and solicited participation from 311 companies; of those, 47 agreed to complete a questionnaire. Two companies were discarded from the final analysis because their corporate size fell below 500-employees; the final results are based upon questionnaires completed by 45-companies ranging in size from less than 2000 employees to more than 25,000 employees. A white paper setting out the details of the methodology, and the complete results of the analysis, is available here.
Bob Felton is a freelance writer based in Wake Forest, NC.

Leave a Reply

You must be logged in to post a comment.