Over the past four years, cybercrime costs have climbed by an average of 78%, while the time required to recover from a breach has increased 130%.
Those findings come from the fourth annual Cost of Cyber Crime Study, conducted by Ponemon Institute and sponsored by HP. Ponemon's researchers studied 234 businesses around the world, located in the United States, Australia, France, Germany, Japan and the United Kingdom.
In the United States, the annual cybercrime cost seen by the 60 businesses studied ranged from $1.3 million to more than $58 million and averaged $11.6 million per company -- an increase of $2.6 million from 2012. Meanwhile, the average cost of cleaning up after a single successful -- and serious -- attack was $1 million.
"What we call a 'serious attack' is one that doesn't bounce off the firewall," said Larry Ponemon, chairman of the Ponemon Institute, speaking by phone. That's a reference to the fact that businesses are typically hit with numerous attempted -- or nuisance -- attacks each day. "When it slips through that first line of defense, it's something that's measurable in our model," he said.
[ Are free, easy-to-use sites contributing to our security problems? Read WordPress Attacks: Time To Wake Up. ]
On average, each U.S. business falls victim to two successful attacks per week. All told, the 60 U.S. businesses studied collectively logged 122 successful attacks per week, which is an increase from 102 successful attacks per week in 2012. The time required to resolve a cyberattack likewise increased from an average of 24 days in 2012 to 32 days in 2013.
"The evidence suggests that things are getting worse instead of better, despite all the resources that companies are spending on cybercrime," said Ponemon.
But cybercrime costs continue to vary widely by country. The highest costs, according to the study, were seen by businesses in the United States (averaging $11.6 million per business) and Germany ($7.6 million). Both Japan ($6.7 million) and France ($5.1 million) experienced mid-range costs, while the United Kingdom ($4.7 million) and Australia ($3.7 million) saw the lowest related costs.
"We're trying to understand why there would be the national cross-country differences," Ponemon said.
One likely explanation stems from the fact that some types of attacks carry higher cleanup costs. According to the study, for example, the most costly cybercrimes are those caused by denial of service, malicious insiders and Web-based attacks. Not coincidentally, businesses in the United States were also more likely than companies in other countries to be targeted by costly malicious code and distributed denial of service (DDoS) attacks.
"The Big Kahuna in terms of cost consequence is the theft of intellectual property -- data as well as compliance costs," said Ponemon. "But distributed denial of service was a close second."
How can businesses lower their cybercrime costs? According to the study, attack costs were lower for businesses that employed technologies such as SIEM (security information and event management), intrusion prevention systems, application security testing, and enterprise governance, risk management and compliance solutions. Notably, the study reported that businesses with security intelligence programs and tools in place enjoyed an average cost savings of nearly $4 million when compared to companies not deploying security intelligence technologies.
"The real value from SIEM is really: what's my situational awareness?" said Frank Mong, VP and general manager of solutions for HP's enterprise security products group, speaking by phone. In other words, such tools help businesses to more quickly identify security vulnerabilities, systems needing patches, as well as signs of successful intrusions.
Beyond tools, Mong said, businesses must also begin sharing more information about the attacks they're seeing with other businesses. He referenced HP's own Threat Central, which he likened to "a Yelp for security intelligence." Launched last month, it's the company's first-ever crowdsourced portal designed for sharing real-time information on online attacks.
"We think that's going to be the key to winning today's war against cyber criminals -- that sharing of intelligence," said Mong. In particular, he said, businesses need better counterintelligence and to understand their adversaries better and discover harmful anomalies quicker.
Another cost-saver, according to the Ponemon report, is having enterprise security governance practices, including a high-level security leader such as a CISO, certified and experienced staff, and a sufficient budget. Such practices reduce a company's annual cybercrime cleanup costs by an average of $1.5 million, the study said.
For best results, however, businesses must employ a layered combination of the above security defenses and intelligence tools along with information-sharing techniques and governance practices. "Organizations that are doing these things -- the good news is -- it's affecting, in a favorable sense, cost," said Ponemon. "The more you do, the lower the [cybercrime] cost -- but it never gets to zero. Even if you do a regression to infinity, there's always some cost, even if you have the best security posture and are using the latest and greatest tools."