by Marc Wilczek

Widespread cybercrime costs reaching $11.7 million on average per organization

Sep 28, 2017
CybercrimeData BreachIT Leadership

Overall, breaches have increased by 23 percent over the previous year, and demand a security approach that builds resilience from the inside out.

dark web hacker tablet malware
Credit: Thinkstock

Along with the proliferation of cybercrime, damages are reaching a new all-time high. Whether they’ve happened at Yahoo, Equifax or Deloitte, large-scale breaches are creating headlines at an unprecedented frequency. According to research from Accenture and the Ponemon Institute, in 2017 the average cost of cybercrime globally climbed to $11.7 million per organization. This equals a 23 percent increase from the $9.5 million reported in 2016, and a whopping 62 percent rise in the last five years. However, there are some major regional differences, with organizations in the United States suffering the highest total average at $21.22 million. Germany witnessed the most significant surge in total cybercrime costs, from $7.84 million to $11.15 million.

“The costly and devastating consequences businesses are suffering as a result of cybercrime highlights the growing importance of strategic planning and close monitoring of security investments. As this research shows, making wise investments in innovation can certainly help make a significant difference when cyber-criminals strike,” said Kelly Bissell, Managing Director of Accenture Security. “Keeping pace with these more sophisticated and highly motivated attacks demands that organizations adopt a dynamic, nimble security strategy that builds resilience from the inside out —  versus only focusing on the perimeter — and an industry-specific approach that protects the entire value chain, end-to-end.”

Breaches are on the rise everywhere

The average organization experiences 130 breaches per year, a 27.4 percent increase over 2016 and representing almost twice as many breaches as five years ago. Financial service firms and utility companies in particular are worst off in terms of their costs, with the average totaling $18.28 million and $17.20 million respectively. The mean time to resolve issues is displaying similar increases. Incidents related to malicious insider threats are among the most time-consuming ones, taking 50 days on average to mitigate. Ransomware-related threats take an average of more than 23 days to rectify. Malware and Web-based incidents are the two most costly ones, with organizations spending an average of $2.4 million and $2 million respectively.

Costs vary widely depending on country, extent and type of the attack

Organizations in Australia report the lowest total average cost from a cyber-attack, at $5.41 million. The United Kingdom, on the other hand, had the lowest increase compared to the previous year, at $8.74 million and $7.21 million respectively. Japan witnessed a 22 percent climb in costs, reaching $10.45 million — making it the third-highest cost increase among the countries in the survey.

Another crucial cost factor is the type of cyber-attack. For instance, organizations in the US are spending more to resolve all kinds of cyber-attacks, with malware and Web-based attacks being particularly expensive ($3.82 million and $3.40 million per incident, respectively). In Germany and Australia, 23 percent of total annual cyber-attack costs are attributed to malware. In France, 20 percent of the total cybercrime annual costs are caused by Web-based attacks. Incidents triggered by denial-of-service attacks account for 15 percent of total cybercrime annual costs in both Germany and the United Kingdom.

Security technology spending out of balance

As for the nine security technologies evaluated in the study, the highest relative spend was on advanced perimeter controls. However, organizations using these security solutions only garnered savings of $1 million associated with identifying and mitigating cyber-attacks, suggesting possible inefficiencies in the allocation of resources. Other technologies have been more powerful, with security intelligence systems being most effective in reducing losses from cybercrime. These tools ingest intelligence from numerous sources and help companies identify and prioritize their threat landscape both internally and externally. With $2.8 million in savings, intelligence systems ranked the highest among all technologies scrutinized in the study. Automation, orchestration and machine-learning technologies showed the lowest rates of adoption, with only 28 percent of organizations using them. Yet, they provided the third-highest cost savings for security technologies overall at $2.2 million.

Gaining cyber-resilience starts from within

Without diminishing the effectiveness of cyber-security solutions, it’s critical to keep in mind that they are only part of a wider-ranging framework. Cyber-threats are an inevitable reality that will only grow bigger as companies digitize their business and expose themselves to much greater dependency on the availability of technology. Just throwing money at the problem is not going to help; it takes more than that. To effectively mitigate risks and gain cyber-resilience, companies have to overcome organizational barriers, too. In fact, it takes focus, dedication, and a smart and forward-looking leadership team that makes security a cornerstone of their digital agenda. Only when security is deeply embedded into the DNA so companies stand a chance of turning into flourishing digital champions.