The Cost of Cybercrime

Cybercrime is a common and pervasive problem for many organizations, but how much can it actually cost a company in dollars and cents?

Based on a survey of 45 different companies, the “Annual Cost of Cyber Crime Study” discovered that cybercrime cost an average of $3.8 million per organization per year. That number was driven by more than one successful cyberattack each week.

Sponsored by security vendor ArcSight and conducted by the Ponemon Institute (News - Alert), the survey attempted to uncover the financial impact of cybercrime by documenting the amount of money, time, and resources expended to prevent or deal with cyberattacks. The survey defined cybercrime as any type of criminal activity conducted over the Internet and can include stealing a company’s intellectual property, tapping into online bank accounts, deploying viruses and malware on a company’s computers, posting confidential information about a business on the Internet, and disrupting a country’s critical national infrastructure.

The data protection and IT security pros interviewed at the 45 different organizations collectively reported 50 successful cyberattacks per week, slightly more than one per company. Dealing with those attacks resulted in an average annual cost of $3.8 million per organization, with costs for the entire sample ranging from $1 million to almost $52 million.

Based on the interview, the survey uncovered several significant points. The most expensive cybercrimes are ones caused by web attacks, malicious code, and malicious insiders, accounting for more than 90 percent of the costs of dealing with cyberattacks. Cybercrime can be even more costly if not addressed and resolved quickly. On average, the sample companies took up to 42 days to resolve malicious attacks from insiders, resulting in an average cost of almost $18,000 per day. Detecting attacks and recovering from them are the two most costly activities. On a yearly basis, these activities account for almost 46 percent of the total costs of dealing with cybercrime.

To compile the study, Ponemon surveyed 45 different organizations in the U.S. from a cross section of different markets. The study attempted to cover direct and indirect expenses that were incurred from the loss or theft of data, disruptions to the business, the loss of revenue, and the destruction of property. The costs included the amount of time and money spent on detecting, investigating, and containing cyber crime along with recovery efforts.