Hackonomics: Cybercrime's cost to business

Hackonomics: Cybercrime's cost to business

Summary: How much does getting hacked actually cost a business? Looking closely at the cyber black market's cost factors is worrying, but offers insight into keeping crime's cost low.

SHARE:
Hackonomics

They say "crime pays" -- but we can be certain the paychecks for cybercrime come right out of the pockets of every business with a digital footprint.

In March, Juniper Networks and RAND Corporation released Hackonomics: A First-of-Its-Kind Economic Analysis of the Cyber Black Markets; its conclusion that the "Cyber Black Market" is more profitable than the global illegal drug trade led us to examine the cost of the cyber black market on businesses.

Actual costs of cybercrime are much debated, and the dozens of threat reports issued in 2014 differ on the details. This is likely because companies have a hard time knowing what was stolen, among other complex issues that keep surveys, reports and studies from being accurate.

It may also have a bit to do with the fact that some of the companies issuing reports -- namely, ones that sell cybercrime prevention and detection software -- are stakeholders in cybercrime's reputation as a growth industry. 

One well-known example of fudging was the 2009 report by the Center for Strategic and International Studies, which estimated hacking costs to the global economy at $1 trillion. President Barack Obama, various intelligence officials and members of Congress have cited this number when pressing for legislation on cybercrime protection.

IBT said in 2013:

Turns out that number was a massive exaggeration by McAfee, a software security branch of Intel that works closely with the U.S. government at the local, state and federal level.

A new study by CSIS found numerous flaws in the methodology of the 2009 study and stated that a specific number would be much more difficult to calculate.

The 2014 CSIS report, still done in partnership with McAfee, produced numbers that varied so widely it still raised an estimated one trillion eyebrows when it hit the press, though their $100 billion - $400 billion range was still a fraction of the 2009 FUD sideshow.

How much does getting hacked actually cost a business?

Special Feature

Why business leaders must be security leaders

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Wading through the reports will introduce you to a frustrating range of guesstimates on "the cost of hacking" -- and different ideas of what that means, exactly.

Researcher Kelly White condensed 23 -- some, but not all -- of 2014's threat reports into one entertaining, graphic-heavy document entitled "Paper: The Best of The 2014 InfoSec Threat Reports."

However, the tightest recent concentrated report focused on costs conducted independently from a company was Ponemon Research Institute's "2013 Cost of Data Breach: Global Analysis."

The global benchmark report was independently conducted for Symantec and sponsored by IBM; it included nine countries in its goal to nail down the cost of the average consolidated data breach.

The report found that the highest notification costs associated with data breaches, the highest ex-post response costs, and the highest lost business cost was experienced by U.S. organizations.

Cost estimates and their differences can be attributed to a number of factors; the benchmark report identified four primary cost centers for businesses hit by a data breach: Detection or discovery, escalation, notification and ex-post response.

There are the types of attacks and threats companies face in differing sectors -- some sectors have higher value data than others. Breached companies will also face differing fines under data protection regulations and laws.

2011 saw 232 million identities exposed in data breach incidents -- this number more than doubled in 2013.

There are incident response costs, and costs associated with detection and escalation of data breach incidents, such as forensic and investigative work, assessments and audits, crisis team management, plus communications and reports to executive management and board of directors.

Then there are the notification costs -- alerting victims that their personal data has been compromised. This includes IT work associated with the creation of contact databases, determination of all regulatory requirements, engagement of services for consumer protection (such as identity theft services and credit report monitoring for individuals), postal expenditures, and the setting up of secondary contacts to mail or email bounce-backs and inbound communication.

Don't forget the lawyers. Or the redress costs, like replacing credit cards. Or the cost of lost business, which can include customer turnover, "increased customer acquisition activities, reputation losses and diminished goodwill."

Accordingly, our Institute's research shows that the negative publicity associated with a data breach incident causes reputation effects that may result in abnormal turnover or churn rates as well as a diminished rate for new customer acquisitions.

According to Symantec's 2014 report, 2011 saw 232 million identities exposed in data breach incidents -- this number more than doubled in 2013, with more than 552 million identities breached. Eight of the breaches in 2013 exposed more than 10 million identities each.

In "Cost of Data Breach" the average breach increased from $130 to $136 per record, adding "However, German and U.S. organizations on average experienced much higher costs at $199 and $188, respectively."

The report examined 277 companies in 16 industry sectors "after those companies experienced the loss or theft of protected personal data."

It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents.

We do not include organizations that had data breaches in excess of 100,000 because they are not representative of most data breaches and to include them in the study would skew the results.

(...) The average cost of a data breach in our research does not apply to catastrophic or mega data breaches because these are not typical of the breaches most organizations experience.

The 2013 report notes that malicious or criminal attacks are the most costly data breaches incidents, and "German companies were most likely to experience a malicious or criminal attack, followed by Australia and Japan."

Ponemon found that seven key factors impacted the cost of a company's data breach.

data breach cost factors

Ways to bleed out, a little less

The costs may sound alarming, and they are -- but in an environment where everyone's a target, the data shows that taking steps to reduce harm from potential breaches will save you in both costs and reputation damage.

Simply having an incident response plan in place, the report said, could reduce the cost by as much as $42 per record.

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

U.S. and U.K. companies showed a reduced cost in their data breaches when a CISO was in place. The study noted, "This factor did not have the same level of impact in India and Brazil."

Additionally, in the U.S., companies that hired consultants for incident triage, containment and response were able to reduce the cost "an average of $13 per compromised or exposed record."

According to Ponemon, a strong security posture has the potential to reduce costs in U.S. companies by as much as $34. Security posture, at least in the benchmark study, was attributed to companies that had a Security Effectiveness Score (SES) at or above the average.

If the data breach stemmed from third party errors, this was shown to increase the cost by as much as $43 per record in the U.S.; if the data breach involved lost, stolen or compromised hardware (such as laptops, phones or other devices) the cost was increased by as much as $10 per record.

Seasoned hackers will read this analysis and think that what's here is obvious. But to slower-moving institutions and, regretfully, negligent gold-diggers like Yo App, a data breach feels like a nuclear blast; the essential advice to be gleaned from reports like Ponemon's is out of reach.

Previously:

Topics: Why business leaders must be security leaders, Security, Business Intelligence

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Two common Web application attacks illustrate security concerns

    Interesting to see how cybercrime is affecting the global economy, cyber crime is increasing and its time organizations adopt stronger measures to check security breaches. Regular checks on security systems and a requirements analysis should be a part of the business plan to check these threats. I work with McGladrey and there's a whitepaper on our website that offers useful information on the common security concerns for businesses and ways to mitigate them. "Two common Web application attacks illustrate security concerns" @ http://mcgladrey.com/content/mcgladrey/en_US/what-we-do/services/risk-advisory/risk-bulletin/two-common-web-application-attacks-illustrate-security-concerns.html
    jamescage27
  • Make Money from Google

    Start working from home! Great job for students, stay-at-home moms or anyone needing an extra income... You only need a computer and a reliable internet connection... Make $90 hourly and up to $12000 a month by following link at the bottom and signing up... You can have your first check by the end of this week............................http://x.co/4uKBV
    Ponvirs
  • All the players are not at the table

    A very difficult cost to calculate is the loss of business from customers who never visit the cloud casino because of a well founded fear of being robbed in the parking lot. Given the sophistication of hackers compared to their victim's IT rent-a-cops, and what is ever more inescapable conclusion that internet businesses cannot protect their client's data, the only viable solution for the average person who wants to protect himself is to avoid ever providing any information, especially financial access, to anyone doing business on the internet. The missing customers this rational paranoia keeps away is probably not insignificant. And the problem is only compounded by the self-serving Cassandra cries of the "security" industry warning us of the wolves at the door.
    geonque