As CIO you probably don’t break out the cost of cybercrime. Of course you tally security costs as part of the IT budget, but unless you have been hit by a large and readily apparent cyber attack the specific cost probably is not on your radar screen.
Cybercrime is a form of criminal activity using computers over the Internet—that’s where the cyber comes in. It includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary attacks, such as creating and distributing viruses and deploying malware on other computers, posting confidential business information on the Internet, or distributed denial of service (DDOS) attacks. Maybe the most apparent form of cybercrime is identity theft—apparent mainly because of numerous state laws and various government regulations addressing privacy and identity theft. But any organization that has been hit with a computer virus has experienced cybercrime.
This week HP published the latest research indicating that the cost and frequency of cybercrime have both continued to rise for the third straight year. According to this third annual study of U.S. companies, conducted by the Ponemon Institute the occurrence of cyberattacks has more than doubled over a three-year period, while the financial impact has increased by nearly 40 percent.
A few weeks ago, IBM released its latest quarterly X-Force security report. Specifically, it found a sharp increase in browser related exploits, renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.
The HP/Ponemon report found the average annualized cost of cybercrime incurred by a benchmark sample of U.S. organizations was $8.9 million. This represents a 6% increase over the average cost reported in 2011, and a 38% increase over 2010. The 2012 study also revealed a 42% increase in the number of cyberattacks, with organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010. The only positive news here is that the cost of the attacks is not increasing as fast as the number of attacks, but that probably small consolation.
The most costly cybercrimes, HP noted, continue to be those caused by malicious code, denial of service, stolen or hijacked devices, and malevolent insiders. When combined, these account for more than 78% of annual cybercrime costs per organization. Maybe even more disturbing is that many of losses resulted from careless behavior (i.e. leaving a laptop on a taxi seat) by employees or poor employee relations, which motivate some of the malevolent attacks.
Cyber attacks can be costly if not resolved quickly, HP concluded. The average time to resolve a cyber attack is 24 days, but it can take up to 50 days according to this year’s study. The average cost incurred during this 24-day period was $591,780, up 42% over the previous year.
IBM’s X-Force also reported some new disturbing trends. For example, attackers continue to target specific individuals by directing them to a trusted URL or site that has been injected with malicious code. Then, through browser vulnerabilities, the attackers are able to install the malware on the target system. Sadly, X-Force notes, the websites of many well-established and trustworthy organizations are still susceptible to these types of threats. Similarly the growth of SQL injection, a technique used by attackers to access a database through a website, is keeping pace with the increased usage of cross-site scripting and directory traversal commands.
As computing penetrates into every aspect of business the security threats are only going to increase. Traditional IT security—access controls, user authentication, firewalls, perimeter defense, and anti-virus tools—simply are not sufficient for the variety of threats companies are experiencing today, from socially engineered attacks to APT. For that reason organizations need an ongoing security strategy that encompasses everything—GRC, data, applications, networks, systems, storage, mobile, cloud, social networks, and whatever else may come next. And then drive it all home through policy, repeated training, and insistence on accountability.