Hackonomics: Cybercrime's cost to business

How much does getting hacked actually cost a business? Looking closely at the cyber black market's cost factors is worrying, but offers insight into keeping crime's cost low.
Written by Violet Blue, Contributor

They say "crime pays" -- but we can be certain the paychecks for cybercrime come right out of the pockets of every business with a digital footprint.

In March, Juniper Networks and RAND Corporation released Hackonomics: A First-of-Its-Kind Economic Analysis of the Cyber Black Markets; its conclusion that the "Cyber Black Market" is more profitable than the global illegal drug trade led us to examine the cost of the cyber black market on businesses.

Actual costs of cybercrime are much debated, and the dozens of threat reports issued in 2014 differ on the details. This is likely because companies have a hard time knowing what was stolen, among other complex issues that keep surveys, reports and studies from being accurate.

It may also have a bit to do with the fact that some of the companies issuing reports -- namely, ones that sell cybercrime prevention and detection software -- are stakeholders in cybercrime's reputation as a growth industry. 

One well-known example of fudging was the 2009 report by the Center for Strategic and International Studies, which estimated hacking costs to the global economy at $1 trillion. President Barack Obama, various intelligence officials and members of Congress have cited this number when pressing for legislation on cybercrime protection.

IBT said in 2013:

Turns out that number was a massive exaggeration by McAfee, a software security branch of Intel that works closely with the U.S. government at the local, state and federal level.

A new study by CSIS found numerous flaws in the methodology of the 2009 study and stated that a specific number would be much more difficult to calculate.

The 2014 CSIS report, still done in partnership with McAfee, produced numbers that varied so widely it still raised an estimated one trillion eyebrows when it hit the press, though their $100 billion - $400 billion range was still a fraction of the 2009 FUD sideshow.

How much does getting hacked actually cost a business?

Wading through the reports will introduce you to a frustrating range of guesstimates on "the cost of hacking" -- and different ideas of what that means, exactly.

Researcher Kelly White condensed 23 -- some, but not all -- of 2014's threat reports into one entertaining, graphic-heavy document entitled "Paper: The Best of The 2014 InfoSec Threat Reports."

However, the tightest recent concentrated report focused on costs conducted independently from a company was Ponemon Research Institute's "2013 Cost of Data Breach: Global Analysis."

The global benchmark report was independently conducted for Symantec and sponsored by IBM; it included nine countries in its goal to nail down the cost of the average consolidated data breach.

The report found that the highest notification costs associated with data breaches, the highest ex-post response costs, and the highest lost business cost was experienced by U.S. organizations.

Cost estimates and their differences can be attributed to a number of factors; the benchmark report identified four primary cost centers for businesses hit by a data breach: Detection or discovery, escalation, notification and ex-post response.

There are the types of attacks and threats companies face in differing sectors -- some sectors have higher value data than others. Breached companies will also face differing fines under data protection regulations and laws.

2011 saw 232 million identities exposed in data breach incidents -- this number more than doubled in 2013.

There are incident response costs, and costs associated with detection and escalation of data breach incidents, such as forensic and investigative work, assessments and audits, crisis team management, plus communications and reports to executive management and board of directors.

Then there are the notification costs -- alerting victims that their personal data has been compromised. This includes IT work associated with the creation of contact databases, determination of all regulatory requirements, engagement of services for consumer protection (such as identity theft services and credit report monitoring for individuals), postal expenditures, and the setting up of secondary contacts to mail or email bounce-backs and inbound communication.

Don't forget the lawyers. Or the redress costs, like replacing credit cards. Or the cost of lost business, which can include customer turnover, "increased customer acquisition activities, reputation losses and diminished goodwill."

Accordingly, our Institute's research shows that the negative publicity associated with a data breach incident causes reputation effects that may result in abnormal turnover or churn rates as well as a diminished rate for new customer acquisitions.

According to Symantec's 2014 report, 2011 saw 232 million identities exposed in data breach incidents -- this number more than doubled in 2013, with more than 552 million identities breached. Eight of the breaches in 2013 exposed more than 10 million identities each.

In "Cost of Data Breach" the average breach increased from $130 to $136 per record, adding "However, German and U.S. organizations on average experienced much higher costs at $199 and $188, respectively."

The report examined 277 companies in 16 industry sectors "after those companies experienced the loss or theft of protected personal data."

It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents.

We do not include organizations that had data breaches in excess of 100,000 because they are not representative of most data breaches and to include them in the study would skew the results.

(...) The average cost of a data breach in our research does not apply to catastrophic or mega data breaches because these are not typical of the breaches most organizations experience.

The 2013 report notes that malicious or criminal attacks are the most costly data breaches incidents, and "German companies were most likely to experience a malicious or criminal attack, followed by Australia and Japan."

Ponemon found that seven key factors impacted the cost of a company's data breach.

data breach cost factors

Ways to bleed out, a little less

The costs may sound alarming, and they are -- but in an environment where everyone's a target, the data shows that taking steps to reduce harm from potential breaches will save you in both costs and reputation damage.

Simply having an incident response plan in place, the report said, could reduce the cost by as much as $42 per record.

U.S. and U.K. companies showed a reduced cost in their data breaches when a CISO was in place. The study noted, "This factor did not have the same level of impact in India and Brazil."

Additionally, in the U.S., companies that hired consultants for incident triage, containment and response were able to reduce the cost "an average of $13 per compromised or exposed record."

According to Ponemon, a strong security posture has the potential to reduce costs in U.S. companies by as much as $34. Security posture, at least in the benchmark study, was attributed to companies that had a Security Effectiveness Score (SES) at or above the average.

If the data breach stemmed from third party errors, this was shown to increase the cost by as much as $43 per record in the U.S.; if the data breach involved lost, stolen or compromised hardware (such as laptops, phones or other devices) the cost was increased by as much as $10 per record.

Seasoned hackers will read this analysis and think that what's here is obvious. But to slower-moving institutions and, regretfully, negligent gold-diggers like Yo App, a data breach feels like a nuclear blast; the essential advice to be gleaned from reports like Ponemon's is out of reach.


Editorial standards