The Economic Impact of Advanced Persistent Threats. Sponsored by IBM. Ponemon Institute Research Report

Similar documents
2015 Latin America Cyber Impact Report

2017 Global Cyber Risk Transfer Comparison Report

The Race to GDPR: A Study of Companies in the United States & Europe

2017 Europe, Middle East & Africa Cyber Risk Transfer Comparison Report

Second Annual Survey on Medical Identity Theft

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

2015 EMEA Cyber Impact Report

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Protecting Knowledge Assets Case & Method for New CISO Portfolio

Cyber Risks & Insurance

PRIVACY AND CYBER SECURITY

Cyber-Insurance: Fraud, Waste or Abuse?

Privacy and Security Standards

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Cyber COPE. Transforming Cyber Underwriting by Russ Cohen

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

HOW TO INSURE CYBER RISKS? Oulu Industry Summit

Post-Class Quiz: Information Security and Risk Management Domain

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

IT Risk in Credit Unions - Thematic Review Findings

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

Cyber Liability Insurance. Data Security, Privacy and Multimedia Protection

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

INFORMATION AND CYBER SECURITY POLICY V1.1

RISK FACTORS RISKS RELATING TO PARTICIPATION IN THE TOKEN SALE

13.1 Quantitative vs. Qualitative Analysis

DEBUNKING MYTHS FOR CYBER INSURANCE

Cyber Risk Mitigation

A New Era In Information Security and Cyber Liability Risk Management. A Survey on Enterprise-wide Cyber Risk Management Practices.

2017 Cyber Security and Data Privacy Study

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

Fraud and Cyber Insurance Discussion. Will Carlin Ashley Bauer

In-House Fraud Investigation Teams: 2017 Benchmarking Report

Evaluating Your Company s Data Protection & Recovery Plan

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

Risk Management: Assessing and Controlling Risk

Bank of America Merrill Lynch Future of Financials Conference 2018

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Strategic Security Management: Risk Assessments in the Environment of Care. Karim H. Vellani, CPP, CSC

Changing the game. Key findings from The Global State of Information Security Survey 2013

H 7789 S T A T E O F R H O D E I S L A N D

Cyber Enhancement Endorsement

Cyber Liability Insurance for Sports Organizations

Cyber Risk Insurance. Frequently Asked Questions

The working roundtable was conducted through two interdisciplinary panel sessions:

CYBER LIABILITY REINSURANCE SOLUTIONS

4.1 Risk Assessment and Treatment Assessing Security Risks

T A B L E of C O N T E N T S

At the Heart of Cyber Risk Mitigation

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

Cyber a risk on the rise. Digitalization Conference Beirut, 4 May 2017 Fabian Willi, Cyber Risk Reinsurance Specialist

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

Cyber Risk Proposal Form

Cyber Risk Management

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

RISK FACTOR ACKNOWLEDGEMENT AGREEMENT

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT

Anti-Bribery and Corruption Policy. Viva Energy Group Limited (ACN )

Cyber Liability & Data Breach Insurance Nikos Georgopoulos Oracle Security Executives Breakfast 23 April Cyber Risks Advisor

CYBER AND INFORMATION SECURITY COVERAGE APPLICATION

Visa s Approach to Card Fraud and Identity Theft

Cyber breaches: are you prepared?

Cyber Security Insurance Proposal Form

Protecting Against the High Cost of Cyberfraud

The Guide to Budgeting for Insider Threat Management

Port Jefferson Union Free School District. Annual Risk Assessment Update Pertaining to the Internal Controls Of District Operations.

Cybersecurity Insurance: The Catalyst We've Been Waiting For

Combined Liability Insurance for Financial Technology Companies Proposal Form

The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Proprietary Information Protection

Business Continuity Program Management Benchmarking Report

Building a Program to Manage the Vendor Management Lifecycle

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

TERMS AND CONDITIONS OF USE

503 SURVIVING A HIPAA BREACH INVESTIGATION

1.1 This page tells you the terms and conditions on which we supply Device Tracker Plus (our service) and all

Cyber Security & Insurance Solution Karachi, Pakistan

HIPAA SECURITY RISK ANALYSIS

Sample RFP: Healthcare Security Services

Vaco Cyber Security Panel

Aligning Risk Management with CU Business Strategy

Principal risks and uncertainties

South Carolina General Assembly 122nd Session,

Healthcare Data Breaches: Handle with Care.

March 1. HIPAA Privacy Policy

Code of Conduct. This Code of Conduct covers all associates. When appropriate, it also covers all members of the Company's Board of Directors.

Aligning an information risk management approach to BS :2005

+936 CODE OF CONDUCT PERTAINING TO MEMBERS PARTNERSHIPS AND ASSOCIATIONS

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

Brought to you by Physicians Insurance A Mutual Company April 24, 2012 Presented by: Chris Apgar, CISSP

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

Reimagining customer relationships. Asia-Pacific

The Panama Papers. A KPMG Survey of Initial Responses by Financial Institutions. kpmg.com

DATA PROCESSING AGREEMENT ( AGREEMENT )

This Policy supports our culture through procedures for the receipt, review and retention of Complaints from Representatives or others.

Transcription:

` The Economic Impact of Advanced Persistent Threats Sponsored by IBM Independently conducted by Ponemon Institute LLC Publication Date: May 2014 Ponemon Institute Research Report

The Economic Impact of Advanced Persistent Threats Ponemon Institute, May 2014 Part 1. Executive Summary Advanced Persistent Threat (APT) refers to a type of cyber attack designed to evade an organization's present technical and process countermeasures. APTs are those that are specifically designed to bypass firewalls, intrusion detection systems and anti-malware programs. Many APTs are designed with a specific purpose. For example, some may be designed to gather information, including financial data, PII, or other user information such as usernames and passwords. Others may take the form of a continuous barrage of targeted and sophisticated attacks aimed at governments, companies and individuals in order to compromise individual systems and organizations. In an earlier companion study 1, we learned how organizations are responding to a plethora of advanced targeted malware attacks. Our findings suggest the cyber security threat landscape is much more serious due to APTs. Some of the key takeaways from this earlier research include the following: Malware is the typical APT attack method. Ninety-three percent of respondents say malware was the source of the attack. Differences between opportunistic and targeted attacks. Sixty percent of respondents say opportunistic attacks are easier to prevent and not as frequent as targeted attacks. Java and Adobe Readers pose the most risk. According to most respondents, these are the most difficult applications to ensure that all security patches have been fully implemented in a timely fashion. Current technology controls against APTs are not keeping pace with inherent risks. Seventy-two percent of respondents say exploits and malware have evaded their IDS and 76 percent say they have evaded their AV solutions. Drawing upon the same sample of 755 IT and IT security practitioners, we attempted to estimate the dollar range that best describes the total economic impact incurred by U.S. organizations in the past 12 months to protect, defend and remediate from APTs. Respondents were instructed to take a broad view of costs, including all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and opportunity losses. For purposes of estimating costs, respondents were introduced to the following four cost categories. Cost of technical support including forensic investigations, incident response activities, help desk and customer service operations Cost of employees idle time and lost productivity because of downtime or system performance delays Revenues lost because of a lack of system availability, reliability and trustworthiness Diminished value to brand and reputation because a loss of trust or confidence in the availability of systems and business processes among employees, customers, business partners and other key stakeholders. 1 Sponsored by IBM, this analysis of APT cost is part of a larger survey projected entitled, The State of Advanced Persistent Threats, Ponemon Institute, December 2013. Ponemon Institute Research Report Page 1

In general, we find that reputation damage and employee productivity losses are the most costly consequence of APT attacks. Respondents estimate that the average cost to restore reputation following an APT attack is as much as $9.4 million (which is three times greater than all other cost categories). Figure 1 summarizes the percentage frequency of responses provided by respondents. The distribution of responses varies from zero to more than $100 million. The distribution suggests a mode and median somewhere between $250,000 to $5 million, with the cost relating to diminished brand and reputation skewed to the left (e.g., higher dollar value ranges). Figure 1. Distribution of four estimated cost categories associated with APT-related incidents 40% 30% 20% 10% 0% 0 < $10k $100k $250k $500k $1m $5m $10m $25m $50m $100m > $100 Cost of technical support Revenue and business disruption losses Cost of lost productivity Value of diminished brand and reputation The remaining analysis provides estimated total costs for four categories according to six levels of employee headcount, which is our surrogate for size. The analysis also reports a per capita estimate, which is computed from the estimated total cost divided by headcount. Please note that these data suggest cost estimates are skewed by a small number of very large cost estimates. Hence, the median value is below the mean value in all APT-related cost estimates. Ponemon Institute Research Report Page 2

Part 2. Key Findings The average total costs associated with the prevention, defense and containment of APTs on organizational performance are shown in Figure 2. As can be seen, the lowest total average cost of $2.5 million is for technical support. The highest average cost pertains to the value of diminished brand and reputation at $9.4 million. Figure 2. Average costs of APT-related incidents for four categories $000 omitted $10,000,000 $9,000,000 $8,000,000 $7,000,000 $6,000,000 $5,000,000 $4,000,000 $3,000,000 $2,000,000 $1,000,000 $2,502,430 Technical support costs $3,142,270 $3,029,190 Cost of lost productivity Estimated total cost Revenue and business disruption losses $9,429,780 Value of diminished brand and reputation Figure 3 shows the per capita or per employee cost of APTs. Consistent with Figure 2, the lowest per capita cost of $208 is for technical support and the highest average cost of $783 is the value of diminished brand and reputation. Figure 3. Per capita average costs of APT-related incidents for four categories $900 $800 $783 $700 $600 $500 $400 $300 $200 $208 $261 $252 $100 Technical support costs Cost of lost productivity Revenue and business disruption losses Value of diminished brand and reputation Estimated per capita cost Ponemon Institute Research Report Page 3

Cost of Technical Support Figure 4 shows the estimated cost of technical support by the size (headcount) of respondents organization. These results confirm the relationship between cost and headcount; that is, largersized companies incur a higher cost for technical support, including forensic investigations, incident response activities, help desk and customer service operations cost relating to APT prevention and defense. Figure 4. Total cost of technical support according to headcount $000 omitted $16,000 $15,053 $14,000 $12,000 $10,000 $9,179 $8,000 $6,000 $4,000 $3,238 $2,000 $160 $263 $977 < 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Total cost of technical support Figure 5 shows the estimated per capita cost of technical support adjusted by organizational headcount. These per capita estimates show an inverse relationship, wherein smaller-sized companies incur a higher relative cost per employee than larger companies. Figure 5. Per capita cost of technical support according to headcount $450 $400 $350 $300 $250 $200 $150 $100 $50 $400 $350 $326 $216 < 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to $184 $188 Per capita cost of technical support Ponemon Institute Research Report Page 4

Cost of lost productivity Figure 6 shows the estimated cost of lost productivity by the size (headcount) of respondents organization. These results show larger-sized companies incur a higher cost associated with downtime and system performance delays relating to APT protection and defense. Figure 6. Total cost of lost productivity according to headcount $000 omitted $14,000 $12,426 $12,000 $10,000 $10,215 $8,000 $6,000 $4,525 $4,000 $2,000 $123 $333 $2,333 < 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Total cost of lost productivity Figure 7 shows the estimated per capita cost of lost productivity adjusted by headcount. This figure shows an inverted U-like relationship between per capita cost and organizational size wherein mid-market sized companies (1,000 to 5,000 employees) incur the highest relative cost. Figure 7. Per capita cost of lost productivity according to headcount $900 $800 $700 $600 $500 $400 $300 $200 $100 $309 $444 $778 $302 $204 < 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Per capita cost of lost productivity $155 Ponemon Institute Research Report Page 5

Revenue and business disruption losses Figure 8 shows the estimated losses from revenue and business disruptions by size (headcount) of respondents organizations. These results suggest larger-sized companies incur a higher cost associated with IT downtime and system performance delays relating to APT protection and defense. Figure 8. Total revenue and business disruption losses by headcount $000 omitted $12,000 $10,915 $10,000 $8,742 $8,000 $6,000 $4,938 $4,000 $2,000 $175 $400 $2,158 < 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Revenue and business disruption losses Figure 9 summarizes the estimated per capita cost for revenue and business disruption losses. Similar to the above, the pattern suggests an inverted U-like relationship between per capita cost and organizational size wherein companies with 1,000 to 5,000 employees incur the highest cost per employee. Figure 9. Per capita revenue and business disruption losses by headcount $800 $700 $719 $600 $533 $500 $437 $400 $329 $300 $200 $175 $136 $100 < 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Per capita revenue and business disruption losses Ponemon Institute Research Report Page 6

Diminished brand and reputation losses These results show that in the aftermath of APTs, larger-sized companies incur higher total costs associated with diminished brand and reputation. Such reputational damages include the loss of customers, contractual violations with business partners, regulatory actions and lawsuits. Figure 10. Total value of diminished brand and reputation $000 omitted $50,000 $45,000 $40,000 $35,000 $30,000 $25,000 $20,000 $15,000 $10,000 $5,000 $308 $692 $3,182 $16,388 < 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 $33,631 25,001 to $43,840 Total diminished brand and reputation losses Figure 11 summarizes the estimated per capita value of diminished brand and reputation that resulted from APTs. Here again we see an inverted U-like relationship between per capita cost and organizational size wherein companies with 1,000 to 25,000 employees incur the highest relative cost. Figure 11. Per capita value of diminished brand and reputation $1,200 $1,061 $1,093 $1,000 $922 $800 $771 $673 $600 $548 $400 $200 < 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to Per capita diminished brand and reputation losses Ponemon Institute Research Report Page 7

Other key findings Are targeted attacks more costly than opportunistic attacks? 2 We profiled respondents according to the types of attacks their organizations experienced. Using a 10-point scale ranging from 1 = opportunistic to 10 = targeted we determined organizations that mostly experienced targeted cyber attacks incurred a higher cost than those experiencing opportunistic attacks. Figure 12 shows the interrelationship between attack profile and costs, which includes technical support costs, lost productivity costs and revenue and business disruption losses. As can be seen, organizations at the 1 to 4 range (opportunistic profile) have a much lower cost than organizations at the 7 to 10 range (targeted profile). Figure 12. Opportunistic-to-targeted cyber attack profiles and combined cost 1 = opportunistic attacks to 10 = targeted attacks $000,000 omitted $14.00 $12.00 $10.88 $11.92 $10.00 $8.00 $6.00 $4.00 $2.00 $7.57 $7.20 $8.30 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 Combined cost excluding the value of diminished brand and reputation. 2 Opportunistic attacks are cyber attacks in which attackers have a general idea of what or whom they want to compromise. Only if attackers happen to come across vulnerabilities that can lead to exploitation, they will begin to pursue that company. In contrast, targeted attacks are those in which attackers specifically choose their target and do not give up until this target is compromised. Ponemon Institute Research Report Page 8

Figure 13 summarizes average combined costs as described above for six industry sectors. 3 As shown, financial services and industrial companies have higher cost than public sector and retailers. Please note that other industry sectors are not listed because these sample segments were too small for average cost estimation purposes. Figure 13. Average combined cost for six industry sectors $000,000 omitted Financial services $12.51 Industrial $11.90 Health & pharmaceuticals $8.29 Services $7.01 Retail $6.61 Public sector $6.47 $2.00 $4.00 $6.00 $8.00 $10.00 $12.00 $14.00 Combined cost excluding the value of diminished brand and reputation. 3 The six industry sectors shown in Figure 13 represent the largest sectors in the total sample. Other industries were deemed too small to calculate a combined average cost. Ponemon Institute Research Report Page 9

Methods A sampling frame of 27,990 IT and IT security practitioners who have involvement in defensive efforts to prevent and/or detect cyber attacks launched against their organization were recruited to participate in this survey. All respondents were located in the United States and more than half of respondents companies are multinationals; that is, those with substantial operations in two or more global regions. Table 1 summarizes our sample response. In total 856 respondents completed the survey. Screening and failed reliability checks required us to remove 101 surveys. The final sample consisted of 755 surveys or a 2.7 percent response rate. Table 1. Sample response Freq Pct% Total sampling frame 27,990 100.0% Total returns 856 3.1% Rejected and screened surveys 101 0.4% Final sample 755 2.7% Table 2 summarizes the percentage frequency of survey responses to four APT-related cost categories. Table 2. Cost ranges Cost of technical support Cost of lost productivity Revenue and business disruption losses Value of diminished brand and reputation Zero 0% 5% 8% 8% < $10,000 2% 3% 1% 2% $10,001 to $100,000 15% 5% 7% 2% $100,001 to $250,000 18% 21% 28% 2% $250,001 to $500,000 12% 18% 19% 18% $500,001 to $1,000,000 31% 14% 12% 21% $1,000,001 to $5,000,000 12% 16% 13% 15% $5,000,001 to $10,000,000 5% 11% 6% 11% $10,000,001 to $25.000,000 4% 5% 5% 9% $25,000,001 to $50,000,000 0% 2% 0% 8% $50,00,001 to $100,000,000 1% 0% 0% 3% More than $100,000,000 0% 0% 1% 1% Total 100% 100% 100% 100% Ponemon Institute Research Report Page 10

Pie Chart 1 reveals the worldwide headcount of the respondent s organization. Sixty-four percent of respondents are from organizations with a global headcount greater than 1,000. Pie Chart 1. Organization s worldwide headcount 7% 5% 15% < 500 500 to 1,000 23% 21% 1,001 to 5,000 5,001 to 25,000 25,001 to 29% Pie Chart 2 reports the organizational level of respondents current position. By design, 59 percent of respondents are at or above the supervisory levels. Pie Chart 2. Organizational level that best describes your current position 6% 2% 1% 2% 16% Senior Executive Vice President Director 32% Manager Supervisor 21% Technician Staff Contractor Other 19% According to Pie Chart 3, 58 percent of respondents report directly to the Chief Information Officer and 23 percent report to the Chief Information Security Officer. Ponemon Institute Research Report Page 11

Pie Chart 3. Primary Person you or your IT security leader reports 3% 2% 2% 1% 6% 23% 5% 58% Chief Information Officer Chief Information Security Officer Chief Risk Officer General Counsel Chief Financial Officer Compliance Officer Chief Security Officer Other Pie Chart 4 reports the industry segments of respondents organizations. This chart identifies financial services (19 percent) as the largest segment, followed by public sector (13 percent) and health & pharmaceuticals (10 percent). Pie Chart 4. What industry best describes your organization s industry focus? 3% 3% 3% 4% 5% 6% 8% 2% 2% 2% Financial services Public sector Health & pharmaceuticals 8% 10% 19% 10% 13% Retail Industrial Services Technology & Software Energy & utilities Consumer products Communications Education & research Transportation Agriculture and food service Entertainment & media Hospitality Other Ponemon Institute Research Report Page 12

Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide an accurate response. Ponemon Institute Research Report Page 13

Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 14

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback