The Economic Impact of Advanced Persistent Threats. Sponsored by IBM. Ponemon Institute Research Report

Transcription

1 ` The Economic Impact of Advanced Persistent Threats Sponsored by IBM Independently conducted by Ponemon Institute LLC Publication Date: May 2014 Ponemon Institute Research Report

2 The Economic Impact of Advanced Persistent Threats Ponemon Institute, May 2014 Part 1. Executive Summary Advanced Persistent Threat (APT) refers to a type of cyber attack designed to evade an organization's present technical and process countermeasures. APTs are those that are specifically designed to bypass firewalls, intrusion detection systems and anti-malware programs. Many APTs are designed with a specific purpose. For example, some may be designed to gather information, including financial data, PII, or other user information such as usernames and passwords. Others may take the form of a continuous barrage of targeted and sophisticated attacks aimed at governments, companies and individuals in order to compromise individual systems and organizations. In an earlier companion study 1, we learned how organizations are responding to a plethora of advanced targeted malware attacks. Our findings suggest the cyber security threat landscape is much more serious due to APTs. Some of the key takeaways from this earlier research include the following: Malware is the typical APT attack method. Ninety-three percent of respondents say malware was the source of the attack. Differences between opportunistic and targeted attacks. Sixty percent of respondents say opportunistic attacks are easier to prevent and not as frequent as targeted attacks. Java and Adobe Readers pose the most risk. According to most respondents, these are the most difficult applications to ensure that all security patches have been fully implemented in a timely fashion. Current technology controls against APTs are not keeping pace with inherent risks. Seventy-two percent of respondents say exploits and malware have evaded their IDS and 76 percent say they have evaded their AV solutions. Drawing upon the same sample of 755 IT and IT security practitioners, we attempted to estimate the dollar range that best describes the total economic impact incurred by U.S. organizations in the past 12 months to protect, defend and remediate from APTs. Respondents were instructed to take a broad view of costs, including all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and opportunity losses. For purposes of estimating costs, respondents were introduced to the following four cost categories. Cost of technical support including forensic investigations, incident response activities, help desk and customer service operations Cost of employees idle time and lost productivity because of downtime or system performance delays Revenues lost because of a lack of system availability, reliability and trustworthiness Diminished value to brand and reputation because a loss of trust or confidence in the availability of systems and business processes among employees, customers, business partners and other key stakeholders. 1 Sponsored by IBM, this analysis of APT cost is part of a larger survey projected entitled, The State of Advanced Persistent Threats, Ponemon Institute, December Ponemon Institute Research Report Page 1

3 In general, we find that reputation damage and employee productivity losses are the most costly consequence of APT attacks. Respondents estimate that the average cost to restore reputation following an APT attack is as much as $9.4 million (which is three times greater than all other cost categories). Figure 1 summarizes the percentage frequency of responses provided by respondents. The distribution of responses varies from zero to more than $100 million. The distribution suggests a mode and median somewhere between $250,000 to $5 million, with the cost relating to diminished brand and reputation skewed to the left (e.g., higher dollar value ranges). Figure 1. Distribution of four estimated cost categories associated with APT-related incidents 40% 30% 20% 10% 0% 0 < $10k $100k $250k $500k $1m $5m $10m $25m $50m $100m > $100 Cost of technical support Revenue and business disruption losses Cost of lost productivity Value of diminished brand and reputation The remaining analysis provides estimated total costs for four categories according to six levels of employee headcount, which is our surrogate for size. The analysis also reports a per capita estimate, which is computed from the estimated total cost divided by headcount. Please note that these data suggest cost estimates are skewed by a small number of very large cost estimates. Hence, the median value is below the mean value in all APT-related cost estimates. Ponemon Institute Research Report Page 2

4 Part 2. Key Findings The average total costs associated with the prevention, defense and containment of APTs on organizational performance are shown in Figure 2. As can be seen, the lowest total average cost of $2.5 million is for technical support. The highest average cost pertains to the value of diminished brand and reputation at $9.4 million. Figure 2. Average costs of APT-related incidents for four categories $000 omitted $10,000,000 $9,000,000 $8,000,000 $7,000,000 $6,000,000 $5,000,000 $4,000,000 $3,000,000 $2,000,000 $1,000,000 $2,502,430 Technical support costs $3,142,270 $3,029,190 Cost of lost productivity Estimated total cost Revenue and business disruption losses $9,429,780 Value of diminished brand and reputation Figure 3 shows the per capita or per employee cost of APTs. Consistent with Figure 2, the lowest per capita cost of $208 is for technical support and the highest average cost of $783 is the value of diminished brand and reputation. Figure 3. Per capita average costs of APT-related incidents for four categories $900 $800 $783 $700 $600 $500 $400 $300 $200 $208 $261 $252 $100 Technical support costs Cost of lost productivity Revenue and business disruption losses Value of diminished brand and reputation Estimated per capita cost Ponemon Institute Research Report Page 3

5 Cost of Technical Support Figure 4 shows the estimated cost of technical support by the size (headcount) of respondents organization. These results confirm the relationship between cost and headcount; that is, largersized companies incur a higher cost for technical support, including forensic investigations, incident response activities, help desk and customer service operations cost relating to APT prevention and defense. Figure 4. Total cost of technical support according to headcount $000 omitted $16,000 $15,053 $14,000 $12,000 $10,000 $9,179 $8,000 $6,000 $4,000 $3,238 $2,000 $160 $263 $977 < to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Total cost of technical support Figure 5 shows the estimated per capita cost of technical support adjusted by organizational headcount. These per capita estimates show an inverse relationship, wherein smaller-sized companies incur a higher relative cost per employee than larger companies. Figure 5. Per capita cost of technical support according to headcount $450 $400 $350 $300 $250 $200 $150 $100 $50 $400 $350 $326 $216 < to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to $184 $188 Per capita cost of technical support Ponemon Institute Research Report Page 4

6 Cost of lost productivity Figure 6 shows the estimated cost of lost productivity by the size (headcount) of respondents organization. These results show larger-sized companies incur a higher cost associated with downtime and system performance delays relating to APT protection and defense. Figure 6. Total cost of lost productivity according to headcount $000 omitted $14,000 $12,426 $12,000 $10,000 $10,215 $8,000 $6,000 $4,525 $4,000 $2,000 $123 $333 $2,333 < to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Total cost of lost productivity Figure 7 shows the estimated per capita cost of lost productivity adjusted by headcount. This figure shows an inverted U-like relationship between per capita cost and organizational size wherein mid-market sized companies (1,000 to 5,000 employees) incur the highest relative cost. Figure 7. Per capita cost of lost productivity according to headcount $900 $800 $700 $600 $500 $400 $300 $200 $100 $309 $444 $778 $302 $204 < to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Per capita cost of lost productivity $155 Ponemon Institute Research Report Page 5

7 Revenue and business disruption losses Figure 8 shows the estimated losses from revenue and business disruptions by size (headcount) of respondents organizations. These results suggest larger-sized companies incur a higher cost associated with IT downtime and system performance delays relating to APT protection and defense. Figure 8. Total revenue and business disruption losses by headcount $000 omitted $12,000 $10,915 $10,000 $8,742 $8,000 $6,000 $4,938 $4,000 $2,000 $175 $400 $2,158 < to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Revenue and business disruption losses Figure 9 summarizes the estimated per capita cost for revenue and business disruption losses. Similar to the above, the pattern suggests an inverted U-like relationship between per capita cost and organizational size wherein companies with 1,000 to 5,000 employees incur the highest cost per employee. Figure 9. Per capita revenue and business disruption losses by headcount $800 $700 $719 $600 $533 $500 $437 $400 $329 $300 $200 $175 $136 $100 < to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Per capita revenue and business disruption losses Ponemon Institute Research Report Page 6

8 Diminished brand and reputation losses These results show that in the aftermath of APTs, larger-sized companies incur higher total costs associated with diminished brand and reputation. Such reputational damages include the loss of customers, contractual violations with business partners, regulatory actions and lawsuits. Figure 10. Total value of diminished brand and reputation $000 omitted $50,000 $45,000 $40,000 $35,000 $30,000 $25,000 $20,000 $15,000 $10,000 $5,000 $308 $692 $3,182 $16,388 < to 1,000 1,001 to 5,000 5,001 to 25,000 $33,631 25,001 to $43,840 Total diminished brand and reputation losses Figure 11 summarizes the estimated per capita value of diminished brand and reputation that resulted from APTs. Here again we see an inverted U-like relationship between per capita cost and organizational size wherein companies with 1,000 to 25,000 employees incur the highest relative cost. Figure 11. Per capita value of diminished brand and reputation $1,200 $1,061 $1,093 $1,000 $922 $800 $771 $673 $600 $548 $400 $200 < to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Per capita diminished brand and reputation losses Ponemon Institute Research Report Page 7

9 Other key findings Are targeted attacks more costly than opportunistic attacks? 2 We profiled respondents according to the types of attacks their organizations experienced. Using a 10-point scale ranging from 1 = opportunistic to 10 = targeted we determined organizations that mostly experienced targeted cyber attacks incurred a higher cost than those experiencing opportunistic attacks. Figure 12 shows the interrelationship between attack profile and costs, which includes technical support costs, lost productivity costs and revenue and business disruption losses. As can be seen, organizations at the 1 to 4 range (opportunistic profile) have a much lower cost than organizations at the 7 to 10 range (targeted profile). Figure 12. Opportunistic-to-targeted cyber attack profiles and combined cost 1 = opportunistic attacks to 10 = targeted attacks $000,000 omitted $14.00 $12.00 $10.88 $11.92 $10.00 $8.00 $6.00 $4.00 $2.00 $7.57 $7.20 $ to 2 3 to 4 5 to 6 7 to 8 9 to 10 Combined cost excluding the value of diminished brand and reputation. 2 Opportunistic attacks are cyber attacks in which attackers have a general idea of what or whom they want to compromise. Only if attackers happen to come across vulnerabilities that can lead to exploitation, they will begin to pursue that company. In contrast, targeted attacks are those in which attackers specifically choose their target and do not give up until this target is compromised. Ponemon Institute Research Report Page 8

10 Figure 13 summarizes average combined costs as described above for six industry sectors. 3 As shown, financial services and industrial companies have higher cost than public sector and retailers. Please note that other industry sectors are not listed because these sample segments were too small for average cost estimation purposes. Figure 13. Average combined cost for six industry sectors $000,000 omitted Financial services $12.51 Industrial $11.90 Health & pharmaceuticals $8.29 Services $7.01 Retail $6.61 Public sector $6.47 $2.00 $4.00 $6.00 $8.00 $10.00 $12.00 $14.00 Combined cost excluding the value of diminished brand and reputation. 3 The six industry sectors shown in Figure 13 represent the largest sectors in the total sample. Other industries were deemed too small to calculate a combined average cost. Ponemon Institute Research Report Page 9

11 Methods A sampling frame of 27,990 IT and IT security practitioners who have involvement in defensive efforts to prevent and/or detect cyber attacks launched against their organization were recruited to participate in this survey. All respondents were located in the United States and more than half of respondents companies are multinationals; that is, those with substantial operations in two or more global regions. Table 1 summarizes our sample response. In total 856 respondents completed the survey. Screening and failed reliability checks required us to remove 101 surveys. The final sample consisted of 755 surveys or a 2.7 percent response rate. Table 1. Sample response Freq Pct% Total sampling frame 27, % Total returns % Rejected and screened surveys % Final sample % Table 2 summarizes the percentage frequency of survey responses to four APT-related cost categories. Table 2. Cost ranges Cost of technical support Cost of lost productivity Revenue and business disruption losses Value of diminished brand and reputation Zero 0% 5% 8% 8% < $10,000 2% 3% 1% 2% $10,001 to $100,000 15% 5% 7% 2% $100,001 to $250,000 18% 21% 28% 2% $250,001 to $500,000 12% 18% 19% 18% $500,001 to $1,000,000 31% 14% 12% 21% $1,000,001 to $5,000,000 12% 16% 13% 15% $5,000,001 to $10,000,000 5% 11% 6% 11% $10,000,001 to $25.000,000 4% 5% 5% 9% $25,000,001 to $50,000,000 0% 2% 0% 8% $50,00,001 to $100,000,000 1% 0% 0% 3% More than $100,000,000 0% 0% 1% 1% Total 100% 100% 100% 100% Ponemon Institute Research Report Page 10

12 Pie Chart 1 reveals the worldwide headcount of the respondent s organization. Sixty-four percent of respondents are from organizations with a global headcount greater than 1,000. Pie Chart 1. Organization s worldwide headcount 7% 5% 15% < to 1,000 23% 21% 1,001 to 5,000 5,001 to 25,000 25,001 to 29% Pie Chart 2 reports the organizational level of respondents current position. By design, 59 percent of respondents are at or above the supervisory levels. Pie Chart 2. Organizational level that best describes your current position 6% 2% 1% 2% 16% Senior Executive Vice President Director 32% Manager Supervisor 21% Technician Staff Contractor Other 19% According to Pie Chart 3, 58 percent of respondents report directly to the Chief Information Officer and 23 percent report to the Chief Information Security Officer. Ponemon Institute Research Report Page 11

13 Pie Chart 3. Primary Person you or your IT security leader reports 3% 2% 2% 1% 6% 23% 5% 58% Chief Information Officer Chief Information Security Officer Chief Risk Officer General Counsel Chief Financial Officer Compliance Officer Chief Security Officer Other Pie Chart 4 reports the industry segments of respondents organizations. This chart identifies financial services (19 percent) as the largest segment, followed by public sector (13 percent) and health & pharmaceuticals (10 percent). Pie Chart 4. What industry best describes your organization s industry focus? 3% 3% 3% 4% 5% 6% 8% 2% 2% 2% Financial services Public sector Health & pharmaceuticals 8% 10% 19% 10% 13% Retail Industrial Services Technology & Software Energy & utilities Consumer products Communications Education & research Transportation Agriculture and food service Entertainment & media Hospitality Other Ponemon Institute Research Report Page 12

14 Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide an accurate response. Ponemon Institute Research Report Page 13

15 Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 14