NEW YORK; Sept. 26, 2017 – Costly cyber attacks are having a significant and growing financial impact on businesses worldwide. According to new research published today by Accenture (NYSE: ACN) and the Ponemon Institute, in 2017 the average cost of cyber crime globally climbed to $11.7 million per organization, a 23 percent increase from $9.5 million reported in 2016, and represents a staggering 62 percent increase in the last five years. In comparison, companies in the United States incurred the highest total average cost at $21.22 million while Germany experienced the most significant increase in total cyber crime costs from $7.84 million to $11.15 million. This surge follows a recent string of infamous malware attacks including WannaCry and Petya, which cost several global firms hundreds of millions of dollars in lost revenues.
The "Cost of Cyber Crime Study" surveyed 2,182 security and IT professionals in 254 organizations worldwide and found that the number of cyber attacks has shown no sign of slowing down since the Ponemon Institute began the research in 2009. Key findings of the study include the following:
- On average, a company suffers 130 breaches per year, a 27.4 percent increase over 2016 and almost double what it was five years ago. Breaches are defined as core network or enterprise system infiltrations.
- Companies in the financial services and energy sectors are the worst hit, with an average annual cost of $18.28 million and $17.20 million respectively.
- The time to resolve issues is showing similar increases. Among the most time-consuming incidents are those involving malicious insiders, which take on average 50 days to mitigate while ransomware takes an average of more than 23 days.
- Malware and Web-based attacks are the two most costly attack types with companies spending an average of $2.4 million and $2 million respectively.
Of the nine security technologies evaluated, the highest percentage spend was on advanced perimeter controls, yet companies deploying these security solutions only realized an operational cost savings of $1 million associated with identifying and remediating cyber attacks, suggesting possible inefficiencies in the allocation of resources. Among the most effective categories in reducing losses from cyber crime are security intelligence systems, defined as tools that ingest intelligence from various sources that help companies identify and prioritize internal and external threats. They delivered substantial cost savings of $2.8 million, higher than all other technology types included in this study. Automation, orchestration and machine learning technologies were only deployed by 28 percent of organizations – the lowest of the technologies surveyed – yet provided the third highest cost savings for security technologies overall at $2.2 million.
Financial consequences of cyber attacks are surging
Researchers considered four main impacts on organizations that suffered a cyber attack: business disruption, loss of information, loss of revenue and damage to equipment. The most damaging of those today is loss of information, mentioned by 43 percent of organizations represented in the study. In contrast, the cost of business disruption, such as business process failures following an attack, has decreased from 39 percent in 2015 to 33 percent in this year’s research.
“The foundation of a strong and effective security program is to identify and ‘harden’ the most-high value assets,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “While steady progress has been made in improving cyber defense, a better understanding of the cost of cyber crime could help businesses bridge the gap between their own vulnerabilities and the escalating creativity – and numbers – of threat actors.”
Costs per organization vary widely by country and type of cyber attack
Australia reports the lowest total average cost from a cyber attack at $5.41 million, while the United Kingdom had the lowest change over the last year from $7.21 million to $8.74 million. Japan experienced a 22 percent increase in costs to $10.45 million – the third highest increase of the countries in the survey.
Costs also vary considerably by the type of cyber attack. U.S. companies are spending more to resolve all types of cyber attacks, especially for malware and Web-based attacks ($3.82 million and $3.40 million per incident, respectively). For companies in Germany and Australia, 23 percent of total annual cyber incident costs are due to malware attacks. In France, 20 percent of the total cyber crime annual costs are attributed to Web-based attacks. Denial of service attacks account for 15 percent of total cyber crime annual costs in both Germany and the United Kingdom.
Steps to improve effectiveness of cybersecurity efforts
By taking the following three steps, organizations can further improve the effectiveness of their cybersecurity efforts to fend off and reduce the impact of cyber crime:
- Build cybersecurity on a strong foundation: invest in the ‘brilliant basics’ such as security intelligence and advanced access management and yet recognize the need to innovate to stay ahead of hackers.
- Undertake extreme pressure testing: Organizations should not rely on compliance alone to enhance their security profile but undertake extreme pressure testing to identify vulnerabilities more rigorously than even the most highly motivated attacker.
- Invest in breakthrough innovation: Balance spend on new technologies, specifically analytics and artificial intelligence, to enhance program effectiveness and scale value.
The study, conducted by the Ponemon Institute on behalf of Accenture, analyzes a variety of costs associated with cyber attacks to IT infrastructure, economic espionage, business disruption, ex-filtration of intellectual property and revenue losses. Data was collected from 2,182 interviews conducted over a ten-month period from a benchmark sample of 254 organizations in seven countries - the US, United Kingdom, Australia, Germany, Japan, France and Italy. The study represents the annualized cost of all cyber crime events and exploits experienced over a one-year period. These include costs to detect, recover, investigate and manage the incident response. Also covered are costs that result in after-the-fact activities and efforts to contain additional expenses from business disruption and the loss of customers.
Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions – underpinned by the world’s largest delivery network – Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 411,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps clients protect their organization’s valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
+1 703 947 4404