DAMAGE CONTROL: THE COST OF SECURITY BREACHES IT SECURITY RISKS SPECIAL REPORT SERIES



Similar documents
DENIAL OF SERVICE: HOW BUSINESSES EVALUATE THE THREAT OF DDOS ATTACKS IT SECURITY RISKS SPECIAL REPORT SERIES

Global Corporate IT Security Risks: 2013

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

Global IT Security Risks

Collateral Effects of Cyberwar

Identifying Cyber Risks and How they Impact Your Business

How To Cover A Data Breach In The European Market

Cloud Security In Your Contingency Plans

GLOBAL IT SECURITY RISKS SURVEY 2014 DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS

State of Security Survey GLOBAL FINDINGS

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

AUTOMATED PENETRATION TESTING PRODUCTS

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Mitigating and managing cyber risk: ten issues to consider

Internet threats: steps to security for your small business

SafeBiz. Identity Theft and Data Breach Program For Small & Medium Size Businesses (SMB)

External Supplier Control Requirements

MAXIMUM PROTECTION, MINIMUM DOWNTIME

93% of large organisations and 76% of small businesses

Cybersecurity. Are you prepared?

RETHINKING CYBER SECURITY Changing the Business Conversation

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

A PROVEN THREAT A TRUSTED SOLUTION MCCANN CYBER SECURITY SOLUTIONS

AUTOMATED PENETRATION TESTING PRODUCTS

10 Smart Ideas for. Keeping Data Safe. From Hackers

Cyber Security. John Leek Chief Strategist

Cybercrime: risks, penalties and prevention

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

US companies experience and attitudes towards security threats

Cutting through the insurance jargon!

Cyber Threats: Exposures and Breach Costs

Fighting Cyber Crime in the Telecommunications Industry. Sachi Chakrabarty

Practical Steps To Securing Process Control Networks

Cybersecurity Awareness. Part 1

How To Understand The Global Risks Of Itrisk Report 201

The Impact of Cybercrime on Business

Connect Smart for Business SME TOOLKIT

How To Create An Insight Analysis For Cyber Security

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Protecting against cyber threats and security breaches

Cutting the Cost of Application Security

SECURE FILE SHARING AND COLLABORATION: THE PATH TO INCREASED PRODUCTIVITY AND REDUCED RISK

Managing cyber risks with insurance

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

How To Protect Your Endpoints From Attack

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

Cyber Security Management

Cyber Risk Management

2012 Endpoint Security Best Practices Survey

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

In 2015, just under half (43%) of the world s population has an Internet connection: 3.2 billion people, compared to 2.9 billion in July 2014.

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

The Risk vs. Cost of Enterprise DDoS Protection

Cybersecurity: Protecting Your Business. March 11, 2015

A practical guide to IT security

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Information Security and Risk Management

Zak Khan Director, Advanced Cyber Defence

MEASURES TO ENHANCE MARITIME SECURITY. Industry guidelines on cyber security on board ships. Submitted by ICS, BIMCO, INTERTANKO and INTERCARGO

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

CONSUMER SECURITY RISKS SURVEY 2014: MULTI-DEVICE THREATS IN A MULTI-DEVICE WORLD. July, 2014

Top Fraud Trends Facing Financial Institutions

Data Center security trends

Cyber Risk and Insurance What companies need to know

Managing IT Security with Penetration Testing

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

A leadership perspectives white paper

Managing Cyber Risk through Insurance

Transcription:

DAMAGE CONTROL: THE COST OF SECURITY BREACHES IT SECURITY RISKS SPECIAL REPORT SERIES Kaspersky Lab

2 Corporate IT Security Risks Survey details: More than 5500 companies in 26 countries around the world Top managers and IT professionals answered questions about security, IT threats and infrastructure We specifically asked them about the cost of recovery when they experience a security breach What we have found: 90% of businesses admitted a security incident. Additionally, 46% of businesses lost sensitive data due to an internal or external security threat. On average enterprises pay US$551,000 to recover from a security breach. SMBs spend 38K. This is direct spend required to recover from an attack. In addition, the indirect costs for enterprises are US$69,000, $8,000 for SMBs. Direct spend Additional costs SMBs 38000 8000 Enteprise 551000 69000 0 100000 200000 300000 400000 500000 600000 700000 Top three major consequences of a breach: Loss of access to business-critical information Damage to company reputation Temporary loss of ability to trade Damage to credit rating Additional staffing / training costs Increased insurance premiums 13% 17% 18% 0% 2% 4% 6% 8% 12% 14% 16% 18% 20% Top three most expensive types of security breaches: Third-party failure Fraud by employees Cyber espionage Cyber Espionage Failure Of Third Party Suppliers Network Intrusion/Hacking Damages & Costs Reactive Spend $55973 $69026 $68758 0 10000 20000 30000 40000 50000 60000 70000 Top three IT security threats that lead to data loss: Malware Phishing attacks Accidental data leaks by staff Malware Phishing attacks Accidental leaks/sharing of data by staff 0% 1 20% 2

3 Key finding: Enterprises lose half a million USD on average from a security breach It s not an easy task to estimate how much a business will lose as a result of a security breach. Figuring out a typical loss is even more complicated. Businesses are cautious of sharing such data, and sometimes they struggle to discern direct financial damage from indirect expenses, also caused by a cyberattack. That is why the results of the 2015 global IT Security Risks survey conducted by Kaspersky Lab in cperation with B2B International are unique and noteworthy. We asked companies what type of they experienced as a result of a security breach and the budget spent on each major type of loss or expense. Using this data, we estimated a probability of a certain type of loss and calculated a corresponding average expense. Applying the weight of probability we finally calculated an average loss for small and medium businesses (under 1500 seats) and enterprises (1500 seats and more). 700000 600000 500000 400000 300000 200000 100000 0 On average, it costs more than half a million US dollars to recover from a security breach for an enterprise. The average expected loss for SMBs is $38,000. These are only direct : money businesses have to allocate to pay for professional services, to cover lost contracts and downtime. Indirect damages, i.e. the budget businesses have to allocate for additional staff hiring and training, infrastructure upgrades etc. are on average $69000 for large businesses and $8000 for SMBs. Let s take a lk at these findings in detail. Direct damages Direct spend 69000 551000 Enterprise Additional costs 8000 38000 SMBs Almost all businesses, regardless of their size, have to invite external experts to recover from a security breach. But these expenses are quite low in comparison with from downtime and the lost business opportunities caused by an attack. Not all security breaches lead to downtime, but if this does occur (in about a third of incidents it does), it becomes the most expensive consequence of an attack: up to 1.4 million USD for large businesses.

4 Professional services Lost business opportunities SMB Proportion of business incurring this expense Enterprise Proportion of business incurring this expense 88% $11K 88% $84K 32% $16k 29% $203K Down-time 34% $66K 30% $1.4M Total expected typical damage $38K $551K Professional services do not always mean hiring external IT professionals to help mitigate a security breach. Although this is the most frequently used measure, many companies have to allocate funds to hire risk management consultants and lawyers. About a quarter of security incidents require help from PR consultants, thus indicating that a breach has become known to public. This figure corresponds with the disclosure statistics, available below. IT Security Consultants 69% Risk Management Consultants 43% Lawyers/Solicitors Physical Security Consultants Auditors/Accountants Management Consultants 37% 36% 3 3 PR/Corporate Image Consultants Additionally, we have estimated the financial cost of damage to brand reputation. The value of a brand and corresponding damage are very hard to calculate, but we decided to give it a shot. We have combined consultancy expenses, lost opportunities due to damaged corporate image and spend on marketing and PR activities aimed at reducing the impact to reputation. The average for this particular type of damage are $8,653 for SMBs and $204,750 for enteprises. Indirect spend 0% 20% 30% 40% 50% 60% 70% 80% After the security breach, most businesses try to prevent such incidents from happening in the future. This t requires extra budget, although this cannot be directly attributed to a security breach recovery. 7 of security breaches led to these unexpected expenses.

5 SMB Proportion of business incurring this expense Enterprise Proportion of business incurring this expense Staffing 41% $5.5K 40% $52K Training 47% $5k 53% $33K Systems 54% $7K 54% $75K Total expected indirect spend $8K $69K Cost of security incidents by type Total financial impact of data breaches depends on the type of the incident. When we asked businesses, to attribute a security breach to a certain cause and estimate an amount of loss, we were able to pinpoint the most expensive types of incidents. Failure Of Third Party Suppliers Fraud By Employees Cyber Espionage Network Intrusion/Hacking Intentional Leaking Phishing Accidental Leaking Malware/Viruses DoS/DDoS Software Vulnerabilities 747712 649936 543838 531349 416544 411977 1141305 1104962 1303827 3289864 0 500000 1000000 1500000 2000000 2500000 3000000 3500000 Total impact of security incidents by type for enterprises Incidents involving the security failure of a third-party contractor, fraud by employees, cyber espionage and network intrusion appear to be the most damaging for large companies, with total average significantly above other types of security incident. Cyber Espionage Failure Of Third Party Suppliers Network Intrusion/Hacking DoS/DDoS Phishing Intentional Leaking Software Vulnerabilities Fraud By Employees Accidental Leaking Malware/Viruses Total impact of security incidents by type for SMBs The danger level of security incidents is slightly different for SMBs: although they suffer significantly from espionage attacks, third party supplier problems and network attacks, DDoS attacks should also be a major concern. 31572 33276 0 10000 20000 30000 40000 50000 60000 70000 40403 42145 46534 48431 53477 55973 69026 68758

6 Security breaches are a top concern One of the key findings of the 2015 IT Security Risks survey is that IT specialists are taking cyber threats much more seriously than last year. The second half of the past year was rich with security breaches and APT announcements, and this lesson has been learned - 50% of IT professionals list prevention of security breaches as one of their three major concerns. Last year, security breaches were named among top three concerns only by 30% of respondents. Often, it can be difficult for a business to comprehend the scale of a security breach until after it has happened. At first it may just lk like the loss of private data, but the longterm damages can end up costing a lot more. It is the consequences of a security breach that have the worst impact on a business. Temporary loss of access to business critical information 50% Loss of credibility/damage to company reputation 43% Temporary loss of ability to trade 38% Loss of contracts/ business opportunities in the future 30% Costs associated with professional help to remedy loss (e.g. legal costs) 2 Cost of additional software / infrastructure to prevent future problems Competitors obtaining previously confidential data (e.g. financial, strategic, IP) 20% Financial caused by reimbursing / compensating clients 19% Damage to credit rating 18% Additional staffing / training costs 17% Increased insurance premiums 13% 0% 20% 30% 40% 50% 60% Frequency of the three worst (chosen by respondents) consequences of a security breach Threats experienced But what threats are likely to cause data breaches? Almost all (90%) of respondents admitted to security incidents. 46% of businesses told us that at least one security Malware Phishing attacks Accidental leaks/sharing of data by staff Vulnerabilities / flaws in existing software Network intrusion / hacking Denial of service Loss/theft of mobile devices by staff Intentional leaks/sharing of data by staff Fraud by employees Theft of mobile devices by external party Cyberespionage Security failure by third party supplier Targeted attacks aimed specifically at our organization / brand 2% 4% 4% 3% 6% 9% 8% 0% 1 20% 2 incident in the last year has led to a data loss. This is the breakdown of IT security threats experienced by businesses that have caused severe security breaches:

7 Disclosure of security breaches The disclosure of information about security breaches has a serious impact on the brand reputation of a business. Companies that suffered such incidents had to share this information with: 50% 4 40% 3 30% 2 20% 1 0% 44% Affected Customers / Clients While the severity of 44% of security breaches compels businesses to disclose information to clients and customers, only one incident out of five becomes publicly known. Conclusion 36% There are t many variables that contribute to the total impact of a corporate security breach. The consequences are also different: for some businesses it s the slight increase of the total IT budget, for others it s a significant financial and reputational damage, and for some it s going out of business with all assets wiped out. One thing is certain - the cost of a security breach is always higher than the cost of protection: the ability to reduce the risk and avoid the shaky path of recovery always pays off. Although real damages can be very different from our average estimation, in this report we ve made a unique attempt to connect potential risks and real consequences of a security breach, defined in dollars, not gigabytes of data and hours of downtime. 90% of the companies we asked admitted they had to deal with security incidents, ranging from malware attacks to DDoS and targeted intrusions. We now also have a high-level understanding of how much businesses spend, in order to recover from a successful attack. Using this methodology, we will be able to see how the constantly evolving threat landscape affects the price that victims of cybercrime have to pay, now and in the future. 32% Suppliers Customers / Clients In General 29% Regulators 22% Press/Media

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information