Cybercrime Fight Costing Companies More This Year
"Cybercrimes can do serious harm to an organization's bottom line," said the study, which found that the median cost related to cybercrime to the 50 companies in the survey was $5.9 million.
Larry Ponemon, founder and chairman of the Traverse, Mich., company that bears his name, told PCWorld there have been several root causes for the bump up in the cost of cyber crime. "Sophisticated stealthy types of cyber crime are happening more frequently," he said.
When the study was done last year, he explained, more visible forms of cybercrime dominated the mix - viruses, worms, Trojans, malware and botnets. "Now we're seeing more insidious kinds of attacks like malicious code, denial of service, stolen devices, Web-based attacks and malicious insiders," he observed.
"Those are more costly to deal with," because it takes more time to clean them up, he said. Last year, when more conventional cybercrime tools dominated the landscape, it took an average of 14 days and $247,744 to clean up an attack. This year, with a jump in stealthy tactics, that average increased to 18 days, and the cost climbed to $417,748.
Stealth attacks are more difficult to clean up because they "move in quietly to position the attacker lower in the infrastructure and to be able to go after information in a longer term, strategic way," according to ArcSight Public Sector CTO Prescott Winter.
"They're more ingenious in how they launch the attack, which makes them harder to find once they launch it," Winter said.
It's also getting more difficult to defend against intruders, Ponemon noted. "Some of these intruders throw a one-two punch," he said. At the front door, there's a denial of service attack that consumes a defender's resources, he explained, but at the same time other attacks are launched on the defender's position - an insider threat, for instance, and proliferating botnet software.
"When you're getting attacked from two fronts, it's just harder to defend yourself," he said.
That's especially true for organizations who believe strong perimeter defenses alone will protect them, Winter contended. "There's no such thing as a bulletproof perimeter anymore," he said.
"It's absolutely guaranteed these days that the attacker will get in," he maintained. "So the strategy has to change from watching the outside wall to trying to figure out what's happening inside the network."
The study also discovered:
- The cost to smaller organizations of a cybercrime incident is higher on a per capita basis than to larger organizations.
- The number of attacks on the companies in the survey increased over last year by 44 percent, to 72 successful attacks per week.
- Forty percent of the external costs to an organization for cybercrime were attributed to data theft, a 2 percent dip from 2010, and 28 percent to business disruption and lost productivity, a 6 percent increase from last year.
- The biggest internal costs attributed to cybercrime were tagged to detection and recovery (45 percent).
- The cost of cybercrime can be moderated by the use of security information and event management systems. The outlay for dealing with a cybercrime incident for firms with those systems was 24 percent lower than for those without the systems, the study noted.