Cybercrime is rising, particularly in the United States, pushing up the cost of fighting serious hackers by 19 percent. This increase is staggering, especially when compared to the worldwide average cost increase of 1.9 percent.
A recent study by the Ponemon Institute looked at large companies with more than 1,000 employees in seven countries—United States, Russia, Japan, France, Germany, Australia and Brazil.
U.S. companies reported spending anywhere from $1.9 million to $65 million per year to fight cybercrime, with the average cost coming to about $15 million (compared to an average cost of $7.7 million for businesses worldwide). It took an average of 1.5 months (46 days) to resolve breaches and related problems. Total costs generally ran higher for larger organizations, but smaller companies spent more per employee to battle breaches ($1,571 per seat vs. $667 per seat for bigger enterprises).
82 Percent Jump in Six Years
Over the past six years, costs associated with cybercrime have climbed in the U.S. more than 80 percent—another staggering number, especially when compared to the worldwide increase of 13.9 percent over the past 6 years.
Detection and recovery costs represent 55 percent of the total spending on cybercrime. About 42 percent of the costs are directly related to the information theft and another 36 percent of the total cost is for the disruption the attack causes to normal business operations.
The most damaging, and expensive, breaches are caused by denial-of-service attacks, malicious insider threats and introduction of malicious code, according to the study.
“With cyber attacks growing in both frequency and severity, understanding of the financial impact can help organizations determine the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.
“Findings show companies that invest in adequate resources, employ certified or expert staff and appoint a high-level security leader have cybercrime costs that are lower than companies that have not implemented these practices,” Ponemon said. “Specifically, a sufficient budget can save an average of $2.8 million, employment of certified/expert security personnel can save $2.1 million and the appointment of a high-level security leader can reduce costs by $2 million.”
Gaps in Security
All of these large companies likely have strong security practices in place. So why are hacks and data breaches still taking place?
As new technology is introduced into a company’s framework, or new personnel are introduced into a company’s IT or security team, security protocols are not always updated. These gaps in security are a hacker’s way in.
Make sure your company:
- Has a full-time Chief of Information Security Officer (CISO) in place who’s only job is to ensure data security for your company
- As technology evolves, so do cyber threats. Every day, there are new types of attacks. It is a full-time job to stay on top of what’s new and maintain proper security against all possibilities.
- Regularly updates security and encryption software
- Annually audits security procedures that are in place to ensure that
- They are up-to-date
- They are being followed
- Conducts background checks on all employees
- Has a business continuity plan in place
Use of outside vendors is often a huge gap in security. Company members who hire outside vendors often don’t communicate with company IT security and don’t consider possible security breach scenarios.
Remember the giant Target hack of 2013? Most don’t realize that the Target breach actually occurred when an employee of a small HVAC company opened a malware-laced email, allowing the HVAC company’s system to be hacked. It just so happened that this particular company was contracted with one of the Target stores and had remote access for a limited time solely for maintenance purposes. This allowed the hackers to worm their way into gathering more than 40 million debit and credit card numbers from Target’s point of sale (POS) system—they hit the jackpot.
Make sure your company:
- Thoroughly vets outside vendors, particularly those who will have access to data, such as data recovery vendors
- Be sure your outside vendors at minimum follow the same security protocols as your company
- A vetting process can take time. It is important to consider possible emergency situations that will require outside vendors, such as a data loss situation, and vet them prior to needing them
- Keeps a list of approved vendors and re-vets them at regular intervals, such as annually or every other year
- Has an internal process in place for introducing new vendors
- Educate all employees on this process
For more information on protecting your company from cyber attacks, read these articles:
Banking.com: Keeping Customer Data Safe: The Checklist Every Bank Needs
Data Security Experts Answer: What is the Biggest Misconception Companies Have About Endpoint Security & Protection Tools?
Information Security Buzz: Best Security Practices for Data Recovery
White Paper: How To Protect Your Critical Data When Working With a Data Recovery Vendor
Data Security Checklist for Vetting Third-Party Data Recovery Service Providers
Top Security Risks Small Businesses Don’t Know They Face