HP Reveals Cost of Cybercrime Escalates 78 Percent, Time to Resolve Attacks More Than Doubles

Fourth annual study confirms security intelligence solutions mitigate impact, saving average of $4 million annually per organization

PALO ALTO, Calif. — HP today unveiled the results from a global study conducted by the Ponemon Institute, indicating that the cost, frequency and time to resolve cyberattacks continue to rise for the fourth consecutive year.(1)

Conducted by the Ponemon Institute and sponsored by HP Enterprise Security Products, the 2013 Cost of Cyber Crime Study found that the average annualized cost of cybercrime incurred by a benchmark sample of U.S. organizations was $11.56 million,(1) representing a 78 percent increase since the initial study was conducted four years ago.(2) The results also revealed that the time it takes to resolve a cyberattack has increased by nearly 130 percent during this same period, with the average cost incurred to resolve a single attack totalling more than $1 million.(2)

The sophistication of cyberattacks has grown exponentially in recent years, as adversaries both specialize and share intelligence in order to obtain sensitive data and disrupt critical enterprise functions. According to the 2013 Cost of Cyber Crime Study, advanced security intelligence tools such as security information and event management (SIEM), network intelligence systems, and big data analytics, can significantly help to mitigate data threats and reduce the cost of cybercrime.(1)

Key findings from the 2013 study include:

• The average annualized cost of cybercrime incurred per organization was $11.56 million, with a range of $1.3 million to $58 million. This is an increase of 26 percent, or $2.6 million, over the average cost reported in 2012.(3)
• Organizations experienced an average of 122 successful attacks per week, up from 102 attacks per week in 2012.(4)
• The average time to resolve a cyberattack was 32 days, with an average cost incurred during this period of $1,035,769, or $32,469 per day—a 55 percent increase over last year’s estimated average cost of $591,780 for a 24-day period.(1)

“The threat landscape continues to evolve as cyberattacks grow in sophistication, frequency and financial impact,” said Frank Mong, vice president and general manager, Solutions, Enterprise Security Products, HP. “For the fourth consecutive year, we have seen the cost savings that intelligent security tools and governance practices can bring to organizations, and as HP, we are committed to continuing to deliver both industry-leading solutions and research to further disrupt the threat life cycle of the adversary.”

The real cost of cyberattacks

• The most costly cybercrimes are caused by denial-of-service, malicious-insider and web-based attacks, together accounting for more than 55 percent of all cybercrime costs per organization on an annual basis.(5)
• Information theft continues to represent the highest external costs, with business disruption a close second.(6) On an annual basis, information loss accounts for 43 percent of total external costs, down 2 percent from 2012. Business disruption or lost productivity accounts for 36 percent of external costs, an increase of 18 percent from 2012. (1)
• Recovery and detection are the most costly internal activities. For the past year, recovery and detection combined accounted for 49 percent of the total internal activity cost, with cash outlays and labor representing the majority of these costs.(1)
• Cybercrime cost varies by company size, but smaller organizations incur a significantly higher per-capita cost than larger organizations.(1)
• Organizations in financial services, defense, and energy and utilities experience substantially higher cybercrime costs than those in retail, hospitality and consumer products.(1)

Security intelligence solutions and governance practices make the difference

• Organizations using security intelligence technologies were more efficient in detecting and containing cyberattacks, experiencing an average cost savings of nearly $4 million per year, and a 21 percent return on investment (ROI) over other technology categories.(1)
• Deployment of enterprise security governance practices including investing in adequate resources, appointing a high-level security leader, and employing certified or expert staff can reduce cybercrime costs and enable organizations to save an estimated average of $1.5 million per year.(1)

“Information is a powerful weapon in an organization’s cybersecurity arsenal,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Based on real-world experiences and in-depth interviews with more than 1,000 security professionals around the globe, the Cost of Cyber Crime research provides valuable insights into the causes and costs of cyberattacks. The research is designed to help organizations make the most cost-effective decisions possible in minimizing the greatest risks to their companies.”

In addition to the fourth annual study of U.S. companies, Ponemon conducted cybercost studies for companies in Australia, Germany, Japan and the United Kingdom for the second year in a row. A study of French companies was conducted for the first time this year. Of the countries surveyed, the U.S. sample reported the highest total average cost of cybercrime, at $11.6 million, while the Australia sample reported the lowest, at $3.7 million.(1) The global results are available in a separate report entitled, 2013 Global Report on the Cost of Cyber Crime.

Findings from the studies will be presented via webcast on Oct. 29 and 30. Details for the U.S. webinar can be found at https://www.brighttalk.com/r/ghs. Details for the EMEA and APJ webinars can be found at https://www.brighttalk.com/r/nDs and https://www.brighttalk.com/r/xDs, respectively.

With industry-leading products from ArcSight, Fortify and TippingPoint, HP delivers a comprehensive security portfolio that enables businesses to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms. With HP Enterprise Security Products, businesses are better able to disrupt the adversary, manage risk and extend their security capabilities to better protect their organizations.

Additional information about HP Enterprise Security Products is available at www.hpenterprisesecurity.com.

HP’s premier EMEA client event, HP Discover, takes place Dec. 10-12 in Barcelona, Spain.

(1) “2013 Cost of Cyber Crime Study: United States,” Ponemon Institute, October 2013.

(2) Based on internal analysis of the results from the 2010-2013 “Cost of Cyber Crime Study: United States” reports from Ponemon Institute.

(3) “2012 Cost of Cyber Crime Study: United States,” Ponemon Institute, October 2012.

(4) The study defines a successful attack as one that results in the infiltration of a company’s core networks or enterprise systems. It does not include a plethora of attacks that are stopped by the company’s firewall defense.

(5) This year the category of malicious-insider attacks includes the cost of stolen devices.

(6) In the context of this study, an external cost is one that is created by external factors such as fines, litigation and marketability of stolen intellectual properties.

This news release contains forward-looking statements that involve risks, uncertainties and assumptions. If such risks or uncertainties materialize or such assumptions prove incorrect, the results of HP and its consolidated subsidiaries could differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements, including but not limited to statements of the plans, strategies and objectives of management for future operations; any statements concerning expected development, performance, market share or competitive performance relating to products and services; any statements regarding anticipated operational and financial results; any statements of expectation or belief; and any statements of assumptions underlying any of the foregoing. Risks, uncertainties and assumptions include the need to address the many challenges facing HP’s businesses; the competitive pressures faced by HP’s businesses; risks associated with executing HP’s strategy; the impact of macroeconomic and geopolitical trends and events; the need to manage third party suppliers and the distribution of HP’s products and services effectively; the protection of HP’s intellectual property assets, including intellectual property licensed from third parties; risks associated with HP’s international operations; the development and transition of new products and services and the enhancement of existing products and services to meet customer needs and respond to emerging technological trends; the execution and performance of contracts by HP and its suppliers, customers and partners; the hiring and retention of key employees; integration and other risks associated with business combination and investment transactions; the execution, timing and results of restructuring plans, including estimates and assumptions related to the cost and the anticipated benefits of implementing those plans; the resolution of pending investigations, claims and disputes; and other risks that are described in HP’s Quarterly Report on Form 10-Q for the fiscal quarter ended April 30, 2013 and HP’s other filings with the Securities and Exchange Commission, including HP’s Annual Report on Form 10-K for the fiscal year ended October 31, 2012. HP assumes no obligation and does not intend to update these forward-looking statements.

© 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.


About HP

HP creates new possibilities for technology to have a meaningful impact on people, businesses, governments and society. With the broadest technology portfolio spanning printing, personal systems, software, services and IT infrastructure, HP delivers solutions for customers’ most complex challenges in every region of the world. More information about HP (NYSE: HPQ) is available at http://www.hp.com