Discover Performance

The Ponemon Institute finds that sophisticated adversaries continue to take a toll on global business. Is there a light at the end of the tunnel?

In the United States and around the world, companies just keep spending more to defend their organizations against cybercriminals. While dispiriting, this recent news from the Ponemon Institute’s 2014 Cost of Cyber Crime report isn’t much of a surprise for security professionals. In fact, with last year’s edition of the study, Institute Chairman Larry Ponemon said costs would rise for a good while to come. 

Ponemon’s research covered seven global regions: the United States, the UK, Japan, Australia, Germany, France, and the Russian Federation. While all regions experienced more crime and spent more on defense, U.S. companies spent a lot more. The average U.S. company spent $12.7 million in 2014, while second-place Germany spent only $8.13 million on average. Australian and Russian Federation companies spent less than $4 million annually on average.

Other key findings from around the globe:

• In the UK, Germany, and Japan, financial services organizations—not utilities—are the hardest hit financially.
• Across the board, Japanese companies resolve successful attacks more quickly than companies in other regions.
• Companies in the Russian Federation have the most equitable distribution of spending across six IT security layers.

The good fight

While it’s clear that cybercriminals are working harder than ever to infiltrate organizations, the good news is that the right tools can effectively combat the hackers:

• Organizations that have deployed a security information and event management (SIEM) system—one of the best tools in the security analyst’s toolbox—lower the cost to detect threats by nearly $2 million per year. And it also lowers the costs of recovery and containment by $1 million each.
• A strong security posture moderates the cost of cyber attacks. Ponemon tracked the cost savings for seven enabling security technologies, all of which saved companies money when fully deployed. The biggest saver was security intelligence, followed by access governance tools. Coming in third were advanced perimeter controls and firewalls. 
• Enterprise security governance practices save money as well. Companies that invest in governance best practices save about $1.7 million on average.

The criminals might be winning the battle—forcing us to spend more to keep them out—but the data shows companies that make the right investments are cultivating the tools to win the war. As Larry Ponemon told Discover Performance shortly before the report was released, “The only way to deal with the problems at hand is to be more and more aggressive on the prevention side.”

Preferential targets revealed

Naturally, cybercriminals favor some targets over others. Here are some key findings for the U.S. market, showing where cyber crime hits hardest:

• Industry matters—Energy and utility companies were the hardest hit by far in 2014, with $26.5 million spent on average. In contrast, consumer products, healthcare, and hospitality companies consistently spend the least on cyber crime defense.
• Big company, big target—Criminals tend to save their most clever techniques for large organizations. Smaller companies tend to get hit with web-based attacks, phishing, and social engineering, while larger companies are defending against malicious code and denial of service, which are more expensive to defend against.
• Insider attacks gaining favor—The cost to defend against attacks from malicious insiders (employees, contractors, and temps) rose $31,000 over the last five years.
• Lack of preparation is costly—The longer it takes to remediate a threat, the more costly it will be.

Rising defense costs are a symptom of the increasing prevalence and success of attacks. There were 138 cyber attacks per week among the U.S. companies surveyed in 2014, vs. 122 attacks per week in 2013. In the 2010 survey, only 50 attacks per week were reported. Clearly, cyber crime has become more persistent and organized. If there’s a bright spot, it’s that this is increasingly true of the good guys’ response, as well.

To see the data in detail, download the global and regional 2014 Cost of Cyber Crime reports (reg. req’d). You'll also find the reports, webinars, and more resources at our main Ponemon report page.