Second Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies

Cyber Crime Study. This year’s study is based on a representative sample of 50 organizations in
various industry sectors. While our research focused on organizations located in the United
States, many are multinational corporations. For consistency purposes, our benchmark sample
consists of only larger-sized organizations (i.e., more than 700 enterprise seats).
Despite widespread awareness of the impact of cybercrime, cyber attacks continue to occur
frequently and result in serious financial consequences for businesses and government
institutions. Key takeaways from this report include:
 Cyber crimes can do serious harm to an organization’s bottom line. We found that the median
annualized cost of cyber crime for 50 organizations in our study is $5.9 million per year, with
a range of $1.5 million to $36.5 million each year per company. This represents an increase
in median cost of 56 percent from our first cyber cost study published last year.1
 Cyber attacks have become common occurrences. The companies in our study experienced
72 successful attacks per week and more than one successful attack per company per week.
This represents an increase of 44 percent from last year’s successful attack experience.
 The most costly cyber crimes are those caused by malicious code, denial of service, stolen
devices and web-based attacks. Mitigation of such attacks requires enabling technologies
such as SIEM and enterprise governance, risk management and compliance (GRC)
solutions.
Similar to last year, the purpose of this benchmark research is to quantify the economic impact of
cyber attacks and observe cost trends over time. We believe a better understanding of the cost of
cyber crime will assist organizations in determining the appropriate amount of investment and
resources needed to prevent or mitigate the devastating consequences of an attack.
Cyber attacks generally refer to criminal activity conducted via the Internet. These attacks can
include stealing an organization’s intellectual property, confiscating online bank accounts,
creating and distributing viruses on other computers, posting confidential business information on
the Internet and disrupting a country’s critical national infrastructure. Recent well-publicized cyber
attacks – for instance, Wikileaks, Epsilion, Sony, Citibank, Boeing, Google, and RSA – have
affected private and public sector organizations.
As described above, our goal is to be able to quantify with as much accuracy as possible the
costs incurred by organizations when they have a cyber attack. In our experience, a traditional
survey approach would not capture the necessary details required to extrapolate cyber crime
costs. Therefore, we decided to pursue field-based research that involved interviewing seniorlevel
personnel and collecting details about actual cyber crime incidents. Approximately nine
months of effort was required to recruit companies, build an activity-based cost model, collect
source information and analyze results.
This research culminated with the completion of case studies involving 50 organizations. The
focus of our project was the direct, indirect and opportunity costs that resulted from the loss or
theft of information, disruption to business operations, revenue loss and destruction of property,
plant and equipment. In addition to external consequences of the cyber crime, the analysis
attempted to capture the total cost spent on detection, investigation, containment, recovery and
after-the-fact or “ex-post” response.

 

Full Report Here