Recently, one of our staff came across a posting on the ArcSight company website, entitled “First Annual Cost of Cyber Crime Study – Benchmark Study of U.S. Companies”. This study commissioned by ArcSight was conducted by the Ponemon Institute and its findings were released in July 2010.
The stated purpose of the study was “…to quantify the economic impact of a cyber-attack, and, to reach a a better understanding of the cost of cybercrime in order to better assist organizations in determining the appropriate amount of investment and resources needed to prevent or mitigate the devastating consequences of an attack.”
This website has often referred its readers to similar information and stressed the risk management issue that cybersecurity and cybercrime continues to pose for organizations, and, with this update, our staff wants to send a strong message that cyber-crimes can do serious harm to an organization’s bottom line. And, with cybercrimes becoming a more common occurrence to both small and large enterprises, it is time to revisit this topic and make certain that our organization’s risk management team members read this benchmark study.
Some important findings revealed in this study state that:
- The median annualized cost of cyber-crime of the 45 organizations in the study is $3.8 million per year, but can range from $1 million to $52 million per year per company.
- The most costly cybercrimes are those caused by web attacks, malicious code and malicious insiders, which account for more than 90 percent of all cybercrime costs per organization on an annual basis.
- That quick resolution is needed for today’s sophisticated attacks.
- The average cost to mitigate a cyber-attack for organizations with a high Security Effectiveness Score (SES) is substantially lower than organizations with a low SES score, and
- On an annualized basis, information theft accounts for 42 percent of total external costs. Costs associated with disruption to business or lost productivity accounts for 22 percent of external costs.
If applicable, please pass this information along to the information security, operational risk management, network security compliance team members in your organization.