The cost and regularity of digital attacks against business continue to rise steadily, with no obvious end to the assault on the horizon.
The average cost of cybercrime to business, as reported by a sample population of 257 organizations, is $7.6m per year. Actual costs range from $500,000 to $61m per company — a rise of 10 percent rise on last year's survey. The 257 companies canvassed by HP said they had experienced 429 "discernible cyber attacks", which equates to 1.7 successful attacks per company per week, on average.
Some attacks are easier to perform (but less painful) than others: over a four-week period, virtually all organizations experienced attacks relating to viruses, worms and/or Trojans and malware. More than half — 59 percent — suffered botnet attacks, while just under half complained of stolen devices. Only 35 percent of companies reported that a malicious insider was the source of the cybercrime.
Types of cybercrime experienced by respondents, according to the HP/Ponemon Institute survey:
- Viruses, worms, Trojans: 98 percent
- Malware: 97 percent
- Botnets: 59 percent
- Web based attacks: 58 percent
- Phishing: 52 percent
- Malicious code: 51 percent
- Denial of service: 49 percent
- Stolen devices: 49 percent
- Malicious insiders: 35 percent
But those malicious insiders were also the most costly type of attack — costing $213,542 on average. Denial-of-service attacks cost $166,545, while web-based attacks cost $116,424 to clear up. Business disruption, followed by loss of data, and then revenue lost account for the vast majority — 94 percent — of the cost of a cyber attack.
The report is keen to point out that smart tools like intrusion prevention systems and network intelligence systems can help cut the cost of such attacks, but the reality is that cybercrime cannot be solved by hardware and software.
Until there is a realistic chance that cyber-attackers will be caught and punished (at the moment, most companies are lucky to even spot that they are under attack), there's little chance that the digital bombardment is likely to stop. That's unlikely to happen for a number of reasons.
First, firms are cagey about admitting they have suffered an attack: police in the UK have complained that businesses are reluctant to share information about cybercrime.
But the bigger problem is that, for now, many cybercriminals remain untouchable: most live far from the companies they are attacking, which means that police are unlikely to have any way of arresting them — even if they had the skills to discover the culprits in the first place. Around 85 percent of the cases dealt with by the European Cybercrime Centre involve Russian-speaking organised crime groups, for example, but getting cooperation across border is rarely straightforward.
Even worse, it's not just criminals and vandals trying to break in: intelligence agencies of all nations continue to be involved in digital espionage, which makes it harder for companies to protect themselves and for the authorities to deter them. Until law enforcement on the internet matches that in the real world, businesses will have to batten down the hatches and hope they can ride out the cybercrime wave.