Financial damage associated with cybercrime and insider threats jumped 12% globally in 2018 and accounted for a third of all cybersecurity costs, new research shows.
A study by the Ponemon Institute on behalf of Accenture looks at costs last year associated with cyberattacks to IT infrastructure, economic cyber espionage, business disruption, exfiltration of intellectual property and revenue.
Cybercrime costs less to prevent than to repair
The cost to companies due to malware increased 11 percent, to an average of more than $2.6 million per company. The cost of internal threats – which Ponemon defines as employees, temporary staff, contractors and business partners — jumped 15 percent, to US$1.6 million per organization.
“Together these two types of cyberattacks accounted for one-third of the total US$13.0 million cost to companies, on average, from cybercrime in 2018, an increase of US$1.3 million in the past year,” Ponemon said. “Similarly, the cost to companies from phishing and from social engineering increased to US$1.4 million per organization, on average.”
Cybercrime costs are defined in the study as an organization’s expenses on discovering, investigating, containing and recovering from cyberattacks. These costs were calculated over a period of four consecutive weeks, and included expenditures related to the aftermath, such as incident-response activities designed to prevent similar attacks efforts to reduce business disruption.
Notably, 28% of the organizations surveyed deployed automation, orchestration and machine-learning technologies to combat cyber-threats. Although these technologies accounted for the lowest percentage of all cybersecurity solutions named by the companies in the survey, these tools provided the second-highest cost savings for security technologies overall, at $2.9 million.
The chart below illustrates the average annual cost of cybercrime by type of attack (malware, social engineering, stolen devices, etc.). Malware is the most expensive type of attack, costing companies US$2.6 million, on average, followed by web-based attacks, at US$2.3 million. Broadly speaking, “malware” should include ransomware, but the researchers decided to measure ransomware separately (likely because of its infamous stand-out nature and pervasiveness).
Malware the most expensive cyber threat
Surveyed companies recorded an average of 145 cyberattacks each last year, 11% more than in 2017 and 67% more than five years ago.
The number of organizations suffering ransomware attacks rose 15% in 2018. This increase also inflated the average cost per company due to ransomware, to approximately $650,000.
Companies the United States experienced the greatest increase in costs due to cybercrime in 2018, with a cost of $27.4 million per company, on average. The countries with the lowest total average costs per company were Brazil and Australia, at US$7.2 million and US$6.8 million, respectively.