In the battle between organizations and cyber criminals, the bad guys are winning. The financial consequences of hacks have again shot up by 23% this year, equaling the increase seen in 2016, according to new research.
Ponemon Institute conducted a benchmark study of 254 organizations, all with more than 1,000 “enterprise seats,” or direct connections to the entity’s network and enterprise systems. The results underscore the reality that cyber crime is a pervasive nemesis, far beyond the occasional mega-hacks — against Equifax, Target, Yahoo — that make big news.
The studied organizations suffered an average of 130 successful breaches (up from 102 reported in a similar study last year), resulting in a collective average cost hit of $11.7 million. U.S. companies reported the highest average annual cost, $21 million, while Australian firms had the lowest, $5.4 million, among the seven countries the study focused on.
Both the number of successful breaches and the dollar costs were annualized; the study looked at a 4-week period for each participant and extrapolated the results to a 52-week period. The measured costs included:
- The direct expense for accomplishing given activities.
- Indirect costs, such as the amount of time, effort, and other resources (other than cash) spent.
- The cost of lost business opportunities as a consequence of diminished reputation after an incident.
The reported cost total did not include expenditures and investments made to sustain the organization’s security posture or compliance with standards, policies, and regulations.
The study report, which was co-developed by Accenture, broke down the cost components in several ways. First, it measured the relative impact of various negative consequences of breaches. Information loss accounted for 43% of the total; next came business disruption (33%), revenue loss (21%), and equipment damage (3%).
Second, internal spending related to various categories of responses to breaches was led by outlays related to breach detection (35% of the total). That was followed by containment (21%), recovery (20%), investigation (11%), and incident management (8%).
And in a third categorization, production losses accounted for 31% of total costs; next were direct labor (26%), cash outlays (20%), indirect labor (17%), and overhead (6%).
Besides the United States and Australia, participating organizations also were based in France, Germany, Italy, Japan, and the United Kingdom.
By size of participating organizations, those in the fourth quartile (the largest ones) suffered an average $16.9 million in annual costs, while those in the first quartile (the smallest) were hit for $3.6 million.
By industry, financial services firms were worst off, with $18.3 million in annual costs. Next were utilities/energy, aerospace/defense, technology/software, and health care. On the other end of the spectrum, the lowest costs were in hospitality, education, life sciences, and communications organizations.
Meanwhile, 27% of participating organizations reported that they were targets of successful ransomware attacks this year, more than double the 13% recorded last year. But ransomware remained far less common than all of the other major categories of attacks, including malware, phishing, web-based attacks, malicious code, botnets, and malicious insiders.