Study shows corporations losing millions in each cyberattack

Thought-provoking results of a first-of-its kind study released today by the Ponemon Institute, sponsored by cyberrisk management firm ArcSight, quantifies how much cybercrime is costing companies.

The giant Black Hat cybersecurity and always-edgy Def Con hackers’ conference take place in Las Vegas this week. Good timing for these results.

Ponemon surveyed security pros in 45 U.S. organizations and concluded that cybercrime is having a material impact in the corporate arena. Over a four-week period, the 45 organizations experienced 50 successful attacks per week, or more than one successful attack per organization per week, and reported a median annual cost of $3.8 million per organization per year.

The smallest loss was $1 million; the biggiest, nearly $52 million.

“Every corporation is vulnerable to thousands of cyber attacks that occur daily across all industries, causing information theft, disruption to business operations and serious financial loss,” said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute.

Ponemon recommends that companies appoint of a chief information security officer, or CISO, charge him or her with designing and implementing a security strategy and invest in technologies to defend against complex threats. “Companies are able to reduce the financial impact of cybercrime,” he says.

The study also found:

  • The most costly cyber crimes are those caused by web attacks, malicious code and malicious insiders, which account for more than 90% of all cyber crime costs per organization on an annual basis.
  • Cyberattacks took up to 42 days or more to resolve, with the average cost to an organization of nearly $18,000 per day.

No silver bullet

No surprisingly, the study also quanitified put a figure a number on how much organizations can save by buying and implementing so-called Security Information and Event Management, or SIEM systems, of the kind sold by ArcSight, CheckPoint, eIQ Networks, High Tower, Q1 Labs, NetIQ, Cisco and RSA.

Ponemon found that the participating companies that had deployed a SIEM system achieved a 24% cost savings when dealing with cyber attacks versus those that had not.

t“Every organization should be concerned about cyber attacks and how much it will cost to manage and contain them,” says Tom Reilly, president and CEO of ArcSight. “However, cyber threats are constantly evolving and traditional signature-based perimeter security is no longer enough. We believe that delivering a comprehensive platform for Enterprise Threat and Risk Management (ETRM) will increase visibility across the enterprise and successfully mitigate exposure to the risks of modern-day cyber crime.”

Of course, any tech security vendor, when pressed, cannot truly defend the position that his or her particular product or system is a silver bullet that will prevent security breaches and data theft. Corporate networks are being increasingly probed from all quarters, not the least of which is via well-meaning employees using Facebook to network and be more productive, as LastWatchdog reported in this investigative report.

Defending against cyberattacks is a complex challenge, not the least of which is sifting all of the vendor hype, something that will reach a feverish pitch in the Nevada dessert this week.

Any senior manager who needs to figure out security should start with Jennifer Bayuk’s book,  Enterprise Security for the Executive: Setting the Tone From The Top, in which the former Bears Stearns CISO explains why and how data loss risks should be measured, monitored and mitigated.

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone