Undertaken by the Ponemon Institute and commissioned by HP, this is a series of individual reports covering five major markets: US, UK, Germany, Japan and Australia. The headline figure is the total cost of cybercrime for an analyzed sample of about 200 companies across the five countries, ranging from $3.2 million in the UK to $8.9 million in the US. The value of the reports, however, is not in their absolute figures, but in the comparative analysis both between the markets and over the last three years. The report itself states that, “Data collection methods did not include actual accounting information, but instead relied upon numerical estimation based on the knowledge and experience of each participant.”
It is not, therefore, a scientific analysis of actual costs. Nevertheless, the reports provide valuable insight into both trends over the last few years, and differences between the different markets – answering some questions and asking others. For example, the studies reveal that the average time to resolve a successful attack has grown from 14 days in 2010, through 18 days in 2011, to 24 days in 2012. The studies do not provide reasons – which could either be that companies are becoming less security capable, or attack tools are becoming more sophisticated. The general consensus, of course, is the latter.
More intriguing is the difference between different countries. The reports note that the “most costly cyber crimes are those caused by malicious insiders, denial of services, and malicious code.” It then notes that US companies were more likely to suffer insider attacks than the other countries – so US companies should perhaps examine the HR policies of their overseas counterparts to see if there is any apparent or correctible policy reason for this.
Similarly, there is a difference in attack effect. “Another key finding that may explain cost differences among countries,” notes the report, “concerns the theft of information assets. US and German companies report this as the most significant consequence of a cyber attack. On the other hand,” it continues, “UK and Australia attach more importance to business disruption. As noted later in this report, business disruption can be less costly than information theft.” What the report doesn’t indicate, however, is why the US and Germany should be more extensively targeted for IP theft. Is US IP theft the effect of Chinese hackers – who we are often told are in a major campaign to steal American ideas? Or is IP better defended in the UK, Japan and Australia?
All of these are questions raised, if only by implication, by these reports. Businesses in different countries might well learn from the cause and effect of cyber crime across the world. None of this, however, changes the basic conclusions: cyber crime is getting more frequent and more costly, but that “the cost of any given attack can be substantially reduced by deploying certain security technologies and by advancing good governance practices throughout the company.” As Rhod Davies, managed security services chief technologist at at HP Enterprise Security told Infosecurity, “The report brings numbers to back up the common sense idea that the better prepared you are the lower the cost of an incident. Organizations with a stronger security posture experienced less than half the cost of less well prepared organizations (£1.42 million as opposed to £3.72 million).”