Have you ever wondered why network security testing is so vital? Maybe you think that having already spent a considerable sum on security precautions to prevent hacking, the cost of additional vulnerability assessments and penetration testing is a step too far. Whilst Krypsys’ security experts understand such concerns, we still believe that it always pays to vigilant, even when such vigilance will ultimately cost. If you still feel the benefits may be outweighed by the costs then you may wish to consider this: new research reveals that as cyber-attack techniques become more complex and mature, the cost, frequency and time to resolve cyber-attacks continue to rise for the fourth consecutive year, and on average the cost of rectifying a single successful cyber-attack can now cost in excess of $1 million (£600,000).
The research, conducted by the Ponemon Institute and sponsored by HP Enterprise Security Products, called the 2013 Cost of Cyber Crime Study, comes up with some alarming figures. The average annualised cost of cybercrime incurred by a benchmark sample of US organisations was $11.56 million, with a range of $1.3 million to $58 million. That figure represents a 78 per cent increase on the initial 2010 study, and an increase of 26 per cent, or $2.6 million, on the average cost reported in 2012.
So where are these extra costs incurred? Well, part of the additional cost is attributable to the time taken to resolve a cyber-attack: threats have become more complicated and far more sophisticated so resolution times have increased by 130 per cent during this same period. The average time to resolve a cyber-attack is now 32 days, with an average cost incurred during the resolution period of $1,035,769, or $32,469 per day – which represents a 55 per cent increase over 2012’s estimated average cost of $591,780 for a 24-day period.
Overall, the organisations polled experienced an average of 122 successful attacks per week. (up from 102 attacks per week in 2012) Cybercrime cost varies by company size, but smaller organisations were shown to incur a significantly higher per-capita cost than larger organisations. The organisations most likely to suffer cyber-attacks were located in financial services, and defence: however, energy and utility companies were also at risk and suffered more than their counterparts in retail and hospitality.
Naturally, not all cyber-attacks are equally costly. The report found that the most costly cybercrimes were caused by denial-of-service, malicious-insider and web-based attacks, which together accounted for more than 55 per cent of all cybercrime costs per organisation on an annual basis.
Information theft has also continued to rise and is costing businesses dearly, with business disruption coming a close second. Annually information loss accounts for 43 per cent of total external costs: business disruption or lost productivity accounts for 36 per cent of external costs, an increase of 18 per cent on 2012. However, recovery and detection are the most costly internal activities. During the last 12 months, recovery and detection accounted for 49 per cent of the total internal activity cost, through cash outlays and labour.
According to Frank Mong, vice president and general manager for solutions at the HP Enterprise Security Products division, business and enterprise should be extremely concerned by the latest findings, and should be investigating and investing in ways to reduce the threat of attack: Speaking to InfoSecurity he commented:
“The threat landscape continues to evolve as cyber-attacks grow in sophistication, frequency and financial impact. For the fourth consecutive year, we have seen the cost-savings that intelligent security tools and governance practices can bring to organisations.”
As attacks become more sophisticated and co-ordinated and adversaries share intelligence in order to obtain sensitive data and disrupt critical enterprise functions, the need for more advanced protections, like security information and event management (SIEM), network intelligence systems and big data analytics has become more urgent. The research found that organisations using security intelligence technologies were more efficient in detecting and containing cyber-attacks, experiencing an average cost savings of nearly $4 million per year, and a 21 per cent return on investment (ROI) over other technology categories. Also, deploying enterprise security governance practices, like investing in adequate resources, appointing a high-level security leader and employing certified or expert staff, can reduce cybercrime costs and enable organisations to save an estimated average of $1.5 million per year.
“Information is a powerful weapon in an organisation’s cyber-security arsenal,” argued Larry Ponemon, chairman and founder at the Ponemon Institute. “Based on real-world experiences and in-depth interviews with more than 1,000 security professionals around the globe, the Cost of Cyber Crime research provides valuable insights into the causes and costs of cyber-attacks. The research is designed to help organisations make the most cost-effective decisions possible in minimizing the greatest risks to their companies.”
KRYPSYS services are focused on helping your company assess its security posture against current and evolving security threats and advising you on the risks to which it is exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in a business’ IT security strategy and to assist in streamlining and prioritising its risk management spending.
If you would like to find out how these solutions could help you protect your business from cyber-attacks and optimise your web applications, please contact Krypsys on 01273 044072.