Study: Costs of cybercrime rise substantially

According the results of a recent study sponsored by tech giant Hewlett-Packard (HP) and conducted by the Ponemon Institute, the costs of cybercrime inflicted upon U.S. organizations has increased by nearly 40 percent over the last three years, while the frequency of attacks has more than doubled.

The "2012 Cost of Cyber Crime Study," found that the average annualized cost of cybercrime incurred by a benchmark sample of U.S. companies was $8.9 million, a six percent increase over the average cost reported in 2011 and a 38 percent increase over 2010.

Information security consultant Kevin Beaver says he’s surprised that anyone is even able to put a dollar figure on losses from cyber intrusions given that many organizations don’t even know they’ve had a breach until it’s too late.

"From what I see, people don’t have clue when a breach occurred or if they have a breach, the level of analysis and due diligence isn’t really there," he said. "You cannot secure what you don’t acknowledge. I see so many organizations that have no real grasp of what’s really taking place in their environments and I suspect, based on what we see and hear in the media, the problem is a lot worse with security incidents that go undetected and unreported."

In addition, the study also found that there was a 42 percent increase in the number of cyberattacks with organizations experiencing an average of 102 successful attacks per week, compared to 72 per week in 2011 and 50 per week in 2010.

Given the state of the global economy and the increasing sophistication of cyberattacks, many of which are state-sponsored, Beaver said this type of increase is not unexpected. "There are a lot more bored people with nothing better to do than to get on and play around and mess around with people, but there are a lot more targeted attacks," he said.

Malicious code, denial of service, malevolent insiders, as well as stolen and hijacked devices accounted for more than 78 percent of annual cybercrime costs per organization. Information theft accounted for 44 percent of external costs, while business disruption or lost productivity accounted for 30 percent.

Beaver said that lost and stolen mobile devices are a huge problem for companies, many of whom simply blow off the issue.

"The general assumption is 'well, we don’t need to worry about that because we don’t have anything of value on these devices.' That’s not true, there is stuff of value, there is email, VPN (virtual private network) connections, files and all sorts of things that the users and even IT don’t realize they’re saving and storing on these mobile devices. To me that’s the biggest area of weakness," Beaver said. "The other big area is probably malware infection and that’s definitely one of those areas where you don’t really know that you’ve been hit until it’s too late. I’ve worked on several projects where everything is going along fine and then these big companies are being told by their customers and business partners that something is wrong here and they drill down and see that they’re infected  with potentially thousands of computers that are under someone else’s control. We talk a lot of talk about security and we have all of these best practices and standards and frameworks and whatnot, but I still say that any given enterprise doesn’t really have a grasp on security like they need to."

The problem, as Beaver sees it, isn’t the basic information security practices that organizations are following today, but trying to become acclimated to all of the new technology that’s hitting the market

"The general security principles that we live and breathe today haven’t really changed much. The threats have evolved a little bit, but the general security basics are still there," he explained. "What we’re faced with today are all these new technologies that we can’t seem to get our arms around, be it mobile, the cloud or all of the malware that’s infecting all of these complex operating systems that we’re using. That is the real problem and it all boils down to complexity. We have all of these systems, all of these databases, applications and operating systems. All of this stuff creates complexity and complexity is the enemy of security."

The time that it takes for an organization to determine that they’ve become a victim of a cybercrime can also be critical, as the report found that the average time to resolve a cyberattack is 24 days. However, it can take up to 50 days.   

"A lot of people are not acknowledging that they have little to no logging, little to no system monitoring, little to no event correlation. People don’t have the information that they need so how can they be expected to make an informed decision?" asked Beaver "We’ve got to get our arms around some of these information security basics that we’ve all known about for decades. We’ve got to somehow put some controls within our reach and if we do that, I really think we can get this nonsense under control. Probably one of the biggest mistakes I see when it comes to all of this is a lot of businesses’ IT shops try to do it all. The people might not have the skills, time or the tools to do it well. I tell a lot of my client you have to outsource some of this work where you don’t have the core expertise."