The most recent Ponemon Institute research into security breaches found no magic bullet for solving a problem which is continuing to grow and continuing to get more expensive. But it did offer some key strategies both for better defence and for easier resolution when something does go wrong.
The researchers considered four main impacts on organisations which suffered a cyber crime attack: business disruptions, loss of information, loss of revenue and damage to equipment. The most damaging of those today is loss of information, mentioned by 39 per cent of those interviewed.
The research also highlighted the importance of treating security holistically. Having proper information management and data governance procedures and practises in place can dramatically reduce the cost of cyber breaches. On average an organisation can reduce the cost of a breach by $2m.
Information management processes can be strengthened and properly enforced by using some technologies like information access management and encryption. Despite the relative maturity of these practises researchers still found organisations not taking them seriously and not viewing them as part of their cyber security strategy. For instance over half of the companies surveyed were not using advance access management systems which could dramatically reduce the costs if a breach did happen.
But they also found business behaviour which can increase the risks and costs of being hit by cyber crime.
Certain types of business innovation – like acquisitions or taking on a major new partner can increase the average cost of cyber crime events by 20 per cent. Launching significant new customer-facing applications increases this by 18 per cent. This finding reinforces the need for best practise to ‘bake-in’ or design security from the very start of designing new applications or business processes.
Researchers also stressed that security concerns need not stop a company innovating. In fact a strong security profile allows safe innovation and can counter any inherent risk increased by offering new services or applications.
Proper use of application security controls was also found to reduce average cyber crime costs, an area ignored by many firms.
Ponemon researchers found that Security Information and Event Management strategies, although not widely used, can result in savings of almost $3m in the event of an attack. SIEM uses real-time monitoring of both systems and user behaviour to detect malware and the very early stages of an attack.
Global trends: US still tops costs league
Around the world the average cost of a cyber breach still varies widely from country to country. Average costs are highest in the US where a breach costs the organisation $17.36m. Australia had the lowest average in 2016 with a cost of $4.3m. The United Kingdom sits in the middle with average costs of $7.2m.
In every country but one average costs continue to go up every year.
Although Germany has seen a slight rise in costs to $7.84m this year it is still lower than a peak of $8.13m in the financial year 2014.
There were also differences in costs between companies.
Those with self-described high security profiles, included highly innovative firms, saw costs of breaches of $7.9m, while those with self-reported low security profiles had to pay $11.1m.
Types of attack, and types of victim
The size of organisation is also important. Organisations with less than the median number of seats, which ranged from 673 to 129,00, suffered more from malware, web-based and phishing or social engineering attacks. While larger firms were more likely to be hit by distributed denial of service attacks, malicious insider led attacks, malicious code and attackers exploiting lost or stolen devices.
Cyber attacks are also far more expensive for certain industries.
Unsurprisingly the favourite target is financial services firms, followed by utilities and energy providers and general technology firms. But researchers warned that sample size meant no definite conclusions could be drawn from this. Recent attacks have targeted specific vertical industries using tailored attacks – healthcare being the most recent victim.
The number of attacks has shown no sign of slowing down since the research began in 2012. in the financial year 2016 companies saw two successful attacks per week, up from 1.3 in 2012.
Phishing and social engineering attacks showed strongest growth – from 62 per cent to 70 per cent of organisations compared to last year. This could be linked to the growth of ransomware as a cyber crime tool.
Cost to fix, versus time to fix
Although average costs are clearly an important metric when looking at cyber crime incidents there are other ways the organisation is impacted. The time taken to resolve issues is showing similar increases to those of average costs.
The most time consuming incidents are those involving malicious insiders which, on average, take 51.5 days to sort out, down on last year.
Malicious code takes just under 50 days to fix. Even resolving issues relating to a stolen or lost device takes almost 14 days from discovery to resolution. While this provides a measurable cost metric it also hides an impact from time wasted by security staff and other managers.
Missing links: key security steps firms are failing to take
However the Ponemon study did offer some positives too. It found that 55 per cent of internal expenditure goes on detecting and recovering from breaches – an area where better recovery and detection systems could offer big savings.
It also found a lot of companies which did not have proper information governance strategies in place which could both reduce the likelihood of breaches happening and massively reduce the costs in the event that a breach did occur.
Wider use of governance, risk and compliance tools, of encryption and access management tools could all bring savings in the event of a breach.
Ponemon found only 25 per cent of companies were using automated policy management which would ensure the right rules and procedures are being followed.
Another blind spot identified by Ponemon researchers was around application security. Despite changing risks too many companies still focus on perimeter defence and protecting the network.
While most companies are using ever more applications, and updating them far more frequently, they are failing to properly protect them.
Only 30 per cent of those surveyed for instance conducted security testing throughout the development cycle. The ‘rush to release’ means many companies only test just before applications are launched.
Researchers could also see clear benefits from using Security Information and Event Management tools which provide real-time monitoring, user behaviour analytics and uses wider threat intelligence can help spot malicious insiders which are one of the toughest threats to find and take longest to fix once discovered. They can also highlight other suspicious activity and zero day attacks which can evade other detection systems.
The Ponemon Institute stressed that the numbers were descriptive rather than statistically perfect. But the numbers do provide a good insight into just how much a security failure costs a business in money and time. Damage to brand and reputation, time wasted by senior management and disruption both internally and externally are other factors to consider.
What is clear from the figures is that there are a number of areas where businesses could get a better return on investment than simply continuing with perimeter protection.
Taking a truly holistic view of security is now crucial. Equally organisations need systems in place to provide the intelligence to deal with threats which continue to change with bewildering rapidity.
Methodology: The Ponemon Institute study, sponsored by HPE, spoke to a representative sample of 237 organisations in six countries. The study has been carried out for the past seven years in the years and the last five years in Australia, Germany, Japan and the UK. The Institute carried out 1,278 interviews and assessed 465 attacks to measure costs to business. The full report is available as a pdf here.