Certification to ISO27001 can lead to annual savings of £968,967 per organisation

The 2014 report on the cost of cyber crime in the United Kingdom has revealed some interesting results about how and where security-conscious organisations should invest their efforts in the fight against cyber crime.

The report indicates that smaller organisations in the United Kingdom experienced a higher proportion of cyber crime costs related to the following attacks:

  • Web-based attacks
  • Stolen devices
  • Viruses, worms and Trojans

Larger organisations, by contrast, experience a higher proportion of costs relating to:

  • Denial of services
  • Malicious code
  • Malicious insiders (employees, contractors and partners)
  • Phishing

Denial-of-service attacks are the most expensive types of cyber attacks

Denial-of-service (DoS) attacks were the most expensive of all attack types, accounting for 25% of all costs (as opposed to 15% and 16% in previous years).  A DoS is an explicit attempt by attackers to prevent legitimate users of a service from using that service – e.g. it can cause a system to malfunction. The least costly attacks for organisations were malware (6%), botnets (6%), phishing and social engineering attacks (5%).

In prior years, phishing and social engineering contributed to 11% and 12% of annual average cyber crime costs (compared to 5% in 2014).

The financial services sector worst affected by the cost of cyber crime

Industry sectors worst affected by cyber crime were financial services, communications, utilities and energy. The average annual cost of cyber crime in financial services organisations far outweighed all other industries, with costs jumping from £3 million in 2012 to £8.3 million in 2014 (177% growth).

95% of companies have experienced malware attacks

97% of companies experienced virus attacks, and 95% suffered malware attacks. The difference between the two is that viruses reside on the endpoint and as yet have not infiltrated the network, whereas malware has infiltrated the network.

The average timespan for resolving a cyber attack is 26 days, at a cost of £9,996 per day

The average length of time to resolve a cyber attack is 26 days. This costs companies £9,996 per day, or a total of £255,938 during the remediation period, representing an almost 20% increase over the costs from last year’s survey. Malicious insiders contributed to the lengthiest investigations in order to resolve the attack, representing a total of 70 days on average.  The second longest investigations were malicious code, which took on average 50 days to resolve.

Business disruption is the biggest external cost of a cyber attack

The external consequences of cyber attacks can be broken down into the following cost components:

  • Business disruption (47% of costs – increasing)
  • Revenue loss (28% of costs)
  • Data loss (24% of costs)
  • Equipment damages (1% of costs – declining)

Recovery and detection costs account for 54% of internal costs

The internal consequences consisted of the following cost components:

  • Recovery costs (25% – declining)
  • Detection costs (29% – increasing)
  • Ex-poste response (‘after the fact’) costs (14%)
  • Investigations (13%)
  • Incident management (12%)
  • Containment (7%)

Direct labour and cash outlay contribute to 49% of activity costs

The percentage of activity can be attributed to the following specific cost components:

  • Direct labour (26%)
  • Cash outlay (23%)
  • Productivity loss (25%)
  • Overhead (13%)
  • Indirect labour (11%)
  • Other (2%)

Investing in the deployment of GRC tools contribute to £1.1 million in average annual cost savings

The following annual average cost-savings per company could be made by deploying these security technologies:

  • Security intelligence systems – £1.1 million
  • Enterprise deployment of GRC (governance, risk and compliance) tools – £1.1 million
  • Access to governance tools – £934,500
  • Extensive deployment of encryption technologies – £723,443
  • Perimeter controls and firewalls – £694,201

Certification against industry standards such as ISO27001 contribute to annual savings of £968,967 per organisation

The following recommended enterprise security governance activities resulted in the following cost savings:

Cost savings 2014

Access integrated world-class cyber security resources, training and consultancy online, anywhere in the world, with IT Governance’s ISO27001 solutions. These packages have been designed to provide any size of organisation access to the tools necessary to implement ISO27001 at a speed and budget appropriate for their individual needs and preferred project approach.  Implement ISO27001 to protect your business from cyber crime now by choosing your packaged solution and get started today.

Source: 2014 Cost of Cyber Crime Study: United Kingdom – Ponemon Institute and HP