Bad guys are so much more nimble than good guys that they have a two-month head start in most hacking situations, a new report has found.  Meanwhile, software flaws that are even a decade old continue to be used to hack hundreds of thousands of computers, according to Kenna Security.

In the hacking world, a secret software flaw that can be exploited is known as a “zero-day” vulnerability.  Known only to a select few, zero-day exploits give hackers the ability to break into machines at will, and much has been made of this alarming problem.

But even known vulnerabilities might as well be “zero day” flaws, suggests findings in a report issued Tuesday by Kenna on what it calls the “Remediation Gap.”  Kenna says it examined one billion breach events and came to this disturbing conclusion:

Most organizations require 100-120 days before fixing vulnerabilities; meanwhile, hackers exploit them within 40-60 days.  That’s two months of free shots.

“The public has grown plenty familiar with hacker seeking out a specialized target, such as Ashley Madison. But automated, non-targeted attacks still remain the most significant threat to businesses of all sizes,” said Karim Toubba, CEO of Kenna. “Every company has data that hackers want to get their hands on, but security teams remain one step behind their adversaries. Security teams need to move quickly to remediate critical vulnerabilities, but they don’t have the tools needed to keep pace with hackers.”

The report suggests that too much attention has been placed recently on targeted attacks, while old-fashioned “spray and pray” attacks remain many firms’ greatest threat.

“Of the organizations that Kenna has evaluated, 100 percent are susceptible to vulnerabilities – which correlate to at least one stable publicly available exploit,” the report says.

Kenna said it pulled its sample from a database of 10 million successful attacks per week, collected through AlienVault’s Open Threat Exchange, as well as threat intelligence data as well as data from various partners, including Dell SecureWorks, Verisign, SANS ISC and US-CERT.

“By executing this approach, we were able to estimate the probability that a vulnerability might be exploited, as well as the sheer volume of attacks, based on the volume of attacks displayed by the aggregated data,” the report says.

Security professionals do a poor job of prioritizing which threats they remediate, and often fail to patch old flaws that are known to be popular among hackers in favor of top-of-mind flaws that have been recently announced, the firm argues.

“One of the points we need to make is that the vulnerabilities in question are often very old, well-known weaknesses that simply haven’t been fixed yet. We’ve seen this over and over again as we evaluate the data,” the report says. “In many cases these vulnerabilities are not sexy, and they don’t hog the spotlight – but in many environments they actually represent major weaknesses.”

For example, Kenna spotted 156,000 exploitations of the Slammer worm executed during 2014. Slammer hit so many servers that it dramatically slowed down general Internet traffic – in 2003.

The report also finds that automated attacks are on the rise: Kenna says there have been over 1.2 billion successful exploits witnessed in 2015 to date, compared to 220 million successful exploits witnessed in 2013 and 2014 combined – an increase of 445 percent.

“Companies will continue to face the cold reality that throwing people at the problem is no longer sufficient for remediating vulnerabilities and combating the sheer volume of automated attacks,” Toubba said.”

We are pleased to present the 2015 Cost of Cyber Crime Study: United States, the sixth annual study of US companies. Sponsored by Hewlett Packard Enterprise, this year’s study is based on a representative sample of 58 organizations in both the public and private sectors. While our research focused on organizations located in the United States, most are  multinational corporations.

This is the fourth year Ponemon Institute has conducted cyber crime cost studies for companies in the United Kingdom, Germany, Australia and Japan and the second year for the Russian Federation. This year we added Brazil. The findings from this research are presented in separate reports.

The number of cyber attacks against US companies continues to grow in frequency and severity. Recent cyber attacks include Anthem Blue Cross and Blue Shield, United Airlines, Sabre Corp. and American Airlines. In the public sector, the Office of Personnel Management sustained an attack that resulted in the theft of information about more than 4.2 million current and former federal employees and attacks against the Internal Revenue Service resulted in the theft of personal information about more than 100,000 taxpayers.

While the companies represented in this research did not have cyber attacks as devastating as
these were, they did experience incidents that were expensive to resolve and disruptive to their
operations. For purposes of this study, we refer to cyber attacks as criminal activity conducted via the Internet. These attacks include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.

Our goal is to quantify the economic impact of cyber attacks and observe cost trends over time.
We believe a better understanding of the cost of cyber crime will assist organizations in
determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.
In our experience, a traditional survey approach does not capture the necessary details required to extrapolate cyber crime costs. Therefore, we conduct field-based research that involves interviewing senior-level personnel about their organizations’ actual cyber crime incidents.

Approximately 10 months of effort is required to recruit companies, build an activity-based cost
model to analyze the data, collect source information and complete the analysis.

For consistency purposes, our benchmark sample consists of only larger-sized organizations (i.e., A minimum of approximately 1,000 enterprise seats). The study examines the total costs
organizations incur when responding to cyber crime incidents. These include the costs to detect, recover, investigate and manage the incident response. Also covered are the costs that result in after-the-fact activities and efforts to contain additional costs from business disruption and the loss of customers. These costs do not include the plethora of expenditures and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.

Figure 1 presents the estimated average cost of cyber crime for the seven countries represented in this research. These figures are converted into US dollars for comparative purposes. As shown, there is significant variation in total cyber crime costs among participating companies in the benchmark samples. The US sample reports the highest total average cost at $15 million and the RF sample reports the lowest total average cost at $2.4 million.

Key findings:

Cyber crimes continue to be very costly for organizations. We found that the mean
annualized cost for 58 benchmarked organizations is $15 million per year, with a range from $1.9 million to $65 million each year per company. Last year’s mean cost per benchmarked
organization was $12.7 million. Thus, we observe a $2.7 million (19 percent) increase in mean
value. The net increase over six years in the cost of cyber crime is 82 percent.

Cyber crime cost varies by organizational size. Results reveal a positive relationship between
organizational size (as measured by enterprise seats) and annualized cost. However, based on
enterprise seats, we determined that small organizations incur a significantly higher per capita
cost than larger organizations ($1,571 versus $667).

The cost of cyber crime increases for all industries. The average annualized cost of cyber
crime appears to vary by industry segment, where organizations in financial services, energy &
utilities and defense & aerospace experience a higher cost of cyber crime. Organizations in the
consumer products and hospitality industries on average experience a much lower cost of cyber crime.

The most costly cyber crimes are those caused by denial of services, malicious insiders
and malicious code. These account for more than 50 percent of all cyber crime costs per
organization on an annual basis. Mitigation of such attacks requires enabling technologies such
as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions.

Cyber attacks can get costly if not resolved quickly. Results show a positive relationship
between the time to contain an attack and organizational cost. Please note that resolution does
not necessarily mean that the attack has been completely stopped. For example, some attacks
remain dormant and undetected (i.e., modern day attacks).

The average time to resolve a cyber attack was 46 days, with an average cost to participating organizations of $1,988,554 during this 46-day period. This represents a 22 percent increase from last year’s estimated average cost of $1,593,627, which was based upon a 45-day resolution period. Results show that malicious insider attacks can take an average of
approximately 63 days to contain.

Information theft continues to represent the highest external cost, followed by the costs
associated with business disruption. On an annualized basis, information theft accounts for
42 percent of total external costs. Costs associated with disruption to business or lost productivity account for 36 percent of external costs (up 4 percent from the six-year average).

Detection and recovery are the most costly internal activities. On an annualized basis,
detection and recovery combined account for 55 percent of the total internal activity cost with
cash outlays and direct labor representing the majority of these costs. However, since 2013 this has declined from 40 percent to 36 percent in 2015. The application layer has increased in budget allocation from 15 percent in 2013 to 20 percent in 2015.

Deployment of security intelligence systems makes a difference. The cost of cyber crime is
moderated by the use of security intelligence systems (including SIEM). Findings suggest
companies using security intelligence technologies were more efficient in detecting and
containing cyber attacks. As a result, these companies enjoyed an average cost savings of $3.7
million when compared to companies not deploying security intelligence technologies.
Companies deploying security intelligence systems experienced a substantially higher
ROI at 32 percent than all other technology categories presented. Also significant are the
estimated ROI results for companies that extensively deploy encryption technologies (27 percent) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds (15 percent).

Deployment of enterprise security governance practices moderates the cost of cyber
crime. Findings show companies that invest in adequate resources, employ certified or expert
staff and appoint a high-level security leader have cyber crime costs that are lower than
companies that have not implemented these practices. Specifically, a sufficient budget can save
an average of $2.8 million, employment of certified/expert security personnel can save $2.1
million and the appointment of a high-level security leader can reduce costs by $2 million.

Click here to read the rest of the report.