In the HP Enterprise Security sponsored "2015 Cost of Cyber Crime Study: UK", the Ponemon Institute conducted 326 interviews with personnel from 39 UK companies to assess the incidence and cost of cyber-crime for businesses. The number of cyber-attacks in the UK continues to grow in frequency and severity.
The UK National Security Council has named cyber-attacks as a “tier one” risk to national security along with international terrorism and a major international conflict.
Some of the key findings of the study include average cost of cyber-crime by an organisation's size and industry, type of attack influences cost of cyber-crime and cost components.
The average cost of cyber-crime is £4.1 million per year. This is a 14 percent increase in the average cost from last year.
The study determined that small organisations acquire a significantly higher per capita cost than larger organisations (£1,014 versus £232).
The average annual cost of cyber-crime seems to vary by industry. Organisations in energy, financial services and utilities and communications experience considerably higher costs than organisations in education, public sector, research and retail.
The most expensive cyber-crimes are ones caused by denial of service, malicious insiders and web-base attacks. They account for about 49 percent of all cyber-crime costs per organisation annually.
Cyber-attacks can be costly if not discovered or resolved quickly. The study shows a positive relationship between the time to contain an attack and organisational cost. The average time to resolve a cyber-attack was 31 days, having an average cost of £358,796. Malicious insider attacks can, on average, take more than 70 days to contain.
The highest external cost continues to be business disruption, followed by revenue loss. Business disruption accounts for 47 percent of total external costs, and costs associated with revenue loss and information loss account for 52 percent of annual spends.
Recovery and detection account for 55 percent of the total internal activity cost with direct labour, cash outlay and productivity loss representing the majority.
The cost of cyber-crime is controlled by the use of security intelligence systems. Companies using such technologies were more efficient in finding and containing cyber-attacks. These companies experienced an average savings of more than £1.3 million compared to companies not using security intelligence technologies.
Companies expanding advanced perimeter controls and firewall technologies had a higher ROI at 24 and 22 percent than other technologies.
Results show companies that invest in security metrics and employment of certified and expert personnel will grasp average savings of £1 million and £911,215, respectively.
"As an industry we're getting better, but attacks are becoming much more invasive and sophisticated," said Andrzej Kawalec, chief technology officer for Hewlett-Packard Co's HP Enterprise Security.