HP today released the 2013 Cost of Cyber Crime Study, sponsored by HP Enterprise Security Products and produced by the Ponemon Institute.
Many of the numbers are staggering:
- The average cost of a successful attack in 2013 is about $11.5 million, up over $5 million in the last four years
- Companies in the survey experience, on average, 2 successful attacks per week
- Incident cost increases with organizational size, but smaller organizations have a higher per-capita incident cost
- Denial of service, malicious code and web-based attacks account for more than 55 percent of costs.
- The industries with the highest annualized costs were Financial Services, Defense, and Energy and Utilities
While the numbers are significant and up across the world, they are notably larger in the United States and Germany. Possible reasons are the number of attractive targets in these countries as well as more complicated and expensive regulatory compliance costs.
On the subject of costs, the survey creates a framework of cost for cybercrime. Costs are either internal (detection, investigation and escalation, containment, recovery and ex-post response), or external (information loss or theft, business disruption, equipment damage, and revenue loss).
The survey indicates that companies which invest in certain preventative technologies, such as security intelligence systems and widespread use of encryption, have much lower average incident costs. Such companies still get attacked, and attacked successfully, but they more quickly detect, contain, and recover from the attack. As one would expect, the cost of the incident rises as the time to resolve the attack increases.
This survey is the fourth in a series conducted annually by Ponemon. This year's US sample involved 60 organizations with a minimum of 500 seats, but most were over 10,000, and the largest over 120,000.