The frequency and cost of cyberattacks
What is the scale, nature and cost of cybercrime for businesses today? To address this question, security research firm The Ponemon Institute has conducted a series of 'Cost of Cyber Crime' surveys over the past four years, with the most recent 2013 study covering 234 organisations in six countries.
The Ponemon Institute's 2013 survey finds that the average annualised cost of cybercrime per organisation is $7.2 million (range $0.375m-$58m), which represents a 30 percent increase over the comparable 2012 figure. Data was generated from a 4-week period in which surveyed organisations saw an average of 1.4 successful cyberattacks per week — a 20 percent increase on the previous year's survey. There is considerable variation in cybercrime cost among the six countries represented, with the US taking the brunt of the financial hits:
What kinds of cyber attacks are involved in generating these costs? The Ponemon survey finds that denial of services (DoS) attacks account for the highest percentage of costs in both smaller (16%) and larger (22%) organisations. The biggest attack-type discrepancies based on organisation size are for viruses, worms and trojans, and phishing and social engineering (both 1.7x more prevalent in smaller organisations), malware (2.5x) and botnets (2.7x). Larger organisations' coffers, meanwhile, are hit hardest by DoS, malicious insiders and web-based attacks:
A wide range of industry sectors are represented in the 2013 Ponemon survey, which indicates that organisations in three areas — defence, financial services and utilities & energy — experience significantly above-average costs due to cybercrime. At the other end of the scale, the least affected sectors are retail, media and consumer products:
When you consider the value or significance of the assets 'on offer', so to speak, this pattern — which is consistent across the four years of Ponemon's cybercrime surveys — is not unexpected.
One of the most significant statistics in the Ponemon survey is the average number of days required to resolve different types of cyberattack, which ranges from 2.6 days for viruses, worms and trojans up to 53 days for malicious insider attacks:
As a result, although malicious insider attacks are the least frequent (suffered by 38% of organisations compared to 99% for malware), they are the most costly per attack ($154,453 compared to $491 for malware).
When it comes to the direct, indirect and opportunity costs of cybercrime, the number-one external cost is business disruption (downtime and unplanned outages that interfere with data processing), followed closely by information loss (loss or theft of sensitive and confidential information):
Turning to internal costs, the list is headed by detection (activities that allow the detection and possible deterrence of cyberattacks) and recovery (activities associated with restoring systems and core business process after a cyberattack):
The Ponemon Institute's report is just one of many cybercrime surveys released in 2013. Here are brief summaries of the main findings of some notable ones:
Internet Security Threat Report 2013
According to Symantec's annual Internet Security Threat Report, half of all targeted cyberattacks in 2012 were directed at businesses with less than 2,500 employees, the largest growth area being small businesses with less than 250 employees (31 percent of attacks). Smaller businesses make easier targets because they often have less effective defences than large enterprises — something that's also exploited in so-called watering hole attacks: here, a large enterprise is breached by infecting the website of a carefully-chosen smaller business and waiting for a visit from the ultimate target.
Other key trends noted were: the harvesting of personal information on selected individuals to create targeted attacks; a 58 percent increase in mobile malware over the previous year (mostly targeted at the Android platform); an increase in the number of exploitable zero-day vulnerabilities; and the suggestion that some apparent hacktivism attacks are actually fronts for nation states.
Looking forward, Symantec expects to see more state-sponsored cyberattacks; sophisticated cyberwar/espionage techniques trickling down to 'regular' cybercrime; social media becoming a major security battleground; more attacks on cloud service providers; increasingly vicious malware, such as ransomware; more mobile malware; and ever-more persistent and sophisticated phishing attacks.
2013 Trustwave Global Security Report
Trustwave's analysis of its 2012 data reveals that retail businesses bore the brunt of cyberattacks, accounting for 45 percent of its investigations. Web applications were the most popular attack vector (48%), while mobile malware saw a fourfold increase over 2011 (as did the amount of Android-targeted malware). Outsourced IT support — a potential source of security vulnerability — was present in 63 percent of Trustwave's investigations, while the average time from initial security breach to detection was 210 days. Patching rates for zero-day vulnerabilities were worst on the Linux platform, the average delay being nearly three years. Trustwave also found that some 10 percent of spam email (which still comprises around three-quarters of a typical organisation's inbound email) was malicious, and that half of the three million user passwords analysed were of bare-minimum strength.
2013 Information Security Breaches Survey
This survey, conducted by PwC on behalf of the UK's Department of Business, Innovation and Skills (BIS), noted a continuing increase in the number of security breaches, particularly in small businesses with less than 50 employees (87%, up from 76% the previous year). The median number of breaches in large businesses with over 250 employees was 113 (up from 71) and 17 for small businesses (up from 11), while the average cost of the year's worst breach was £450,000-£850,000 for large companies and £35,000-£65,000 for small companies. Outsiders caused the most breaches in large businesses (78% attacked, 39% hit by DoS attacks, 20% with network penetration, 14% aware of IP or confidential data theft), but small businesses are increasingly in the firing line too (63% attacked, 23% hit by DoS, 15% with network penetration, 9% suffering aware of IP or data theft). Staff are increasingly involved in security breaches, with 36 percent of the year's worst breaches caused inadvertently and 10 percent deliberately.
The PwC/BIS survey found that UK businesses generally give security a high or very high priority (81%) and that 10 percent of the IT budget is typically spent on security. However, 43 percent of large organisations provide no ongoing security awareness training for their staff and only 53 percent of companies are confident that they'll have sufficient security skills to manage risks over the next year.