Benchmark Study of Global Companies – Ponemon Institute October 2014
Part 1. Executive Summary
We are pleased to present the 2014 Global Report on the Cost of Cyber Crime. Sponsored by HP
Enterprise Security, this year’s study is based upon a representative sample of 257 organizations in various industry sectors.
The Cost of Cyber Crime study was first conducted by Ponemon Institute in the United States five
years ago. This is the third year we conducted the study in the United Kingdom, Germany,
Australia and Japan. Last year we expanded the research to France and this year we added the
Russian Federation. The findings from 7 countries are presented in separate reports.
During the period we conducted interviews and analyzed the findings, mega cyber crimes took place. Most notable was the Target cyber breach, which was reported to result in the theft of 40 million payment cards.
More recently, Chinese hackers launched a cyber attack against Canada’s National
Research Council as well as commercial entities in Pennsylvania, including Westinghouse Electric Company, U.S. Steel and the United Steel Workers Union. Russian hackers recently stole the largest collection of Internet credentials ever: 1.2 billion user names and passwords, plus 500 million email addresses. While the companies represented in this research did not have cyber attacks as devastating as these were, they did experience incidents that were expensive to resolve and disruptive to their operations.
For purposes of this study, we refer to cyber attacks as criminal activity conducted via the Internet. These attacks can include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.
Our goal is to quantify the economic impact of cyber attacks and observe cost trends over time.
We believe a better understanding of the cost of cyber crime will assist organizations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.
In our experience, a traditional survey approach does not capture the necessary details required to extrapolate cyber crime costs. Therefore, we conduct field-based research that involves interviewing senior-level personnel about their organizations’ actual cyber crime incidents.
Approximately 10 months of effort is required to recruit companies, build an activity-based cost model to analyze the data, collect source information and complete the analysis. For consistency purposes, our benchmark sample consists of only larger-sized organizations (i.e., more than 1,000 enterprise seats1). The study examines the total costs organizations incur when responding to cyber crime incidents. These include the costs to detect, recover, investigate and manage the incident response. Also covered are the costs that result in after-the-fact activities and efforts to contain additional costs from business disruption and the loss of customers. These costs do not include the plethora of expenditures and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.