We are pleased to present the 2015 Cost of Cyber Crime Study: United States, the sixth annual study of US companies. Sponsored by Hewlett Packard Enterprise, this year’s study is based on a representative sample of 58 organizations in both the public and private sectors. While our research focused on organizations located in the United States, most are multinational corporations.
This is the fourth year Ponemon Institute has conducted cyber crime cost studies for companies in the United Kingdom, Germany, Australia and Japan and the second year for the Russian Federation. This year we added Brazil. The findings from this research are presented in separate reports.
The number of cyber attacks against US companies continues to grow in frequency and severity. Recent cyber attacks include Anthem Blue Cross and Blue Shield, United Airlines, Sabre Corp. and American Airlines. In the public sector, the Office of Personnel Management sustained an attack that resulted in the theft of information about more than 4.2 million current and former federal employees and attacks against the Internal Revenue Service resulted in the theft of personal information about more than 100,000 taxpayers.
While the companies represented in this research did not have cyber attacks as devastating as
these were, they did experience incidents that were expensive to resolve and disruptive to their
operations. For purposes of this study, we refer to cyber attacks as criminal activity conducted via the Internet. These attacks include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.
Our goal is to quantify the economic impact of cyber attacks and observe cost trends over time.
We believe a better understanding of the cost of cyber crime will assist organizations in
determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.
In our experience, a traditional survey approach does not capture the necessary details required to extrapolate cyber crime costs. Therefore, we conduct field-based research that involves interviewing senior-level personnel about their organizations’ actual cyber crime incidents.
Approximately 10 months of effort is required to recruit companies, build an activity-based cost
model to analyze the data, collect source information and complete the analysis.
For consistency purposes, our benchmark sample consists of only larger-sized organizations (i.e., A minimum of approximately 1,000 enterprise seats). The study examines the total costs
organizations incur when responding to cyber crime incidents. These include the costs to detect, recover, investigate and manage the incident response. Also covered are the costs that result in after-the-fact activities and efforts to contain additional costs from business disruption and the loss of customers. These costs do not include the plethora of expenditures and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.
Figure 1 presents the estimated average cost of cyber crime for the seven countries represented in this research. These figures are converted into US dollars for comparative purposes. As shown, there is significant variation in total cyber crime costs among participating companies in the benchmark samples. The US sample reports the highest total average cost at $15 million and the RF sample reports the lowest total average cost at $2.4 million.
Cyber crimes continue to be very costly for organizations. We found that the mean
annualized cost for 58 benchmarked organizations is $15 million per year, with a range from $1.9 million to $65 million each year per company. Last year’s mean cost per benchmarked
organization was $12.7 million. Thus, we observe a $2.7 million (19 percent) increase in mean
value. The net increase over six years in the cost of cyber crime is 82 percent.
Cyber crime cost varies by organizational size. Results reveal a positive relationship between
organizational size (as measured by enterprise seats) and annualized cost. However, based on
enterprise seats, we determined that small organizations incur a significantly higher per capita
cost than larger organizations ($1,571 versus $667).
The cost of cyber crime increases for all industries. The average annualized cost of cyber
crime appears to vary by industry segment, where organizations in financial services, energy &
utilities and defense & aerospace experience a higher cost of cyber crime. Organizations in the
consumer products and hospitality industries on average experience a much lower cost of cyber crime.
The most costly cyber crimes are those caused by denial of services, malicious insiders
and malicious code. These account for more than 50 percent of all cyber crime costs per
organization on an annual basis. Mitigation of such attacks requires enabling technologies such
as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions.
Cyber attacks can get costly if not resolved quickly. Results show a positive relationship
between the time to contain an attack and organizational cost. Please note that resolution does
not necessarily mean that the attack has been completely stopped. For example, some attacks
remain dormant and undetected (i.e., modern day attacks).
The average time to resolve a cyber attack was 46 days, with an average cost to participating organizations of $1,988,554 during this 46-day period. This represents a 22 percent increase from last year’s estimated average cost of $1,593,627, which was based upon a 45-day resolution period. Results show that malicious insider attacks can take an average of
approximately 63 days to contain.
Information theft continues to represent the highest external cost, followed by the costs
associated with business disruption. On an annualized basis, information theft accounts for
42 percent of total external costs. Costs associated with disruption to business or lost productivity account for 36 percent of external costs (up 4 percent from the six-year average).
Detection and recovery are the most costly internal activities. On an annualized basis,
detection and recovery combined account for 55 percent of the total internal activity cost with
cash outlays and direct labor representing the majority of these costs. However, since 2013 this has declined from 40 percent to 36 percent in 2015. The application layer has increased in budget allocation from 15 percent in 2013 to 20 percent in 2015.
Deployment of security intelligence systems makes a difference. The cost of cyber crime is
moderated by the use of security intelligence systems (including SIEM). Findings suggest
companies using security intelligence technologies were more efficient in detecting and
containing cyber attacks. As a result, these companies enjoyed an average cost savings of $3.7
million when compared to companies not deploying security intelligence technologies.
Companies deploying security intelligence systems experienced a substantially higher
ROI at 32 percent than all other technology categories presented. Also significant are the
estimated ROI results for companies that extensively deploy encryption technologies (27 percent) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds (15 percent).
Deployment of enterprise security governance practices moderates the cost of cyber
crime. Findings show companies that invest in adequate resources, employ certified or expert
staff and appoint a high-level security leader have cyber crime costs that are lower than
companies that have not implemented these practices. Specifically, a sufficient budget can save
an average of $2.8 million, employment of certified/expert security personnel can save $2.1
million and the appointment of a high-level security leader can reduce costs by $2 million.