OFFICE OF INFORMATION SECURITY NEWSLETTER
First Annual Cost of Cybercrime study: A benchmark for U.S. Companies & Govt. Agencies
This study performed by the Ponemon Institute of 45 U.S. organizations all ranging in size and function, found that cybercrime in the forms of Web attacks, malicious code and rogue insiders -- costs each one of them $3.8 million per year, on average, and results in about one successful attack each week.
This study lasted seven months and included midsize and larger corporations, as well as various state and federal agencies. Number employees range from about 500 in the smaller categories all the way until 105,000 employee range for the larger corporations. The researchers interviewed IT security personnel, an example of this personnel is our Office of Information Security and Information Security Officer as we have here at the University of Texas at Brownsville.
Other IT staff interviewed in all companies of this study included the following: Network and Infrastructure personnel, forensic staff (if applicable), and upper management. All these groups were researched with the sole purpose of determining costs of responding and mitigation of cybercrime attacks and infiltrations. The researchers from the Ponemon institute spent about one month with each organization involved with this study.
Despite widespread awareness of the impact of cybercrime, cyber attacks continue to occur frequently and result in serious financial consequences for businesses and government institutions.
Key takeaways from this report include:
- Cyber crimes can do serious harm to an organization’s bottom line. The report found that the median annualized cost of cyber crime of the 45 organizations in our study is $3.8 million per year, but can range from $1 million to $52 million per year per company.
- Cyber attacks have become common occurrences. The companies in this study experienced 50 successful attacks per week and more than one successful attack per company per week.
- The most costly cyber crimes are those caused by web attacks, malicious code and malicious insiders, which account for more than 90 percent of all cyber crime costs per organization on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM and enterprise threat and risk management solutions.
The purpose of this benchmark study is obvious. The study wanted to quantify the economic impact of a cyber attack. Second, the study reports a better understanding of the cost of cyber crime and how it will assist organizations in determining the appropriate amount of investment and resources needed to prevent or mitigate the devastating consequences of an attack.
Cyber attacks generally refer to criminal activity conducted via the Internet. These attacks can include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure. Well-publicized cyber attacks have affected private and public sector organizations such as Google, TJX Companies, TD Ameritrade and Heartland Payment Systems. If only these companies could have gotten this memo before it was too late.
The University of Texas at Brownsville through the Office of Information Security most important job is the protection of Information. Information loss represents the highest financial loss for all companies researched in this study. Think of a piece of paper with a social security number as a $100 dollar bill. Would you just leave that piece of paper lying around for someone else to steal it? Probably not, this same principle applies and should apply to all Information Resources here at the University at all times.
For a complete in depth look at this wonderful study and research conducted by the Ponemon Institute regarding Cybercrime and its financial impacts on private sector and public sector please visit http://www.arcsight.com/collateral/whitepapers/Ponemon_Cost_of_Cyber_Crime_study_2010.pdf