HPE Business Insights

HPE Community for IT leaders
Enterprise Security

New cost of cyber crime report shows phishing and advanced malware on the rise

Security expert Larry Ponemon delves into why the cost of cyber crime continues to climb and how to contain the damage.

The bottom line

What: Cyber crime incidents are growing in frequency and severity.

Why: Cyber criminals are developing more sophisticated forms of attack.

How: Align security policies with business objectives and deploy security intelligence systems.

More: Read the Ponemon 2015 Cost of Cyber Crime Study (reg. req’d). And use our free Cyber Crime assessment tool, which compares your readiness to Ponemon's findings.

Larry Ponemon
First, the good news: Security technology is helping organizations make inroads in the never-ending fight against cyber crime. But the overall cost continues to rise year over year, most significantly in the U.S., according to the Ponemon Institute’s “2015 Cost of Cyber Crime Study,” a report sponsored by Hewlett Packard Enterprise that assesses the cost of cyber crime at enterprise organizations in Australia, Brazil, Germany, Japan, Russia, the U.K., and the U.S.

We talked with institute chairman Larry Ponemon about the latest findings, discussing emerging threats and the strategies organizations can take to reduce their exposure. As Ponemon points out, your enterprise will suffer a cyber attack, but your preparation and planning can lessen the damage.

What was the biggest surprise in this year’s report?

Larry Ponemon: In the U.S., the cost of cyber crime is just so much greater than in any other country, growing by more than 20 percent over last year. This averages out to $15.5 million for each of the participating U.S. companies. Germany, the second-most expensive country for cyber crime, averages $7.4 million per participating company.

Why is the cost so much higher in the U.S.?

LP: The U.S. dollar has been particularly strong this past year, but that’s not the whole story. Global security industry mavens generally agree that the U.S. is ahead of other countries in terms of enterprise security management, deploying security technology, hiring expert staff, and training people. One of the reasons for that is that most of the really serious cyber attacks, globally, have been in the U.S. Bad guys see more money, and therefore more economic value, by committing crime in the U.S. than in other countries or regions of the world.

Is there anything organizations can do to reduce their cost?

LP: There are some technologies that really seem to make a difference: Security intelligence systems such as security information event management and network intelligence tools help you spot anomalies and stop strange activity before it infiltrates your system. Advanced perimeter controls—basically smart firewalls—now incorporate threat intelligence. And the more you use cryptological solutions—such as tokenization—that make it hard for bad guys to seize data, the better your security position.

Is there a weakest link companies should focus on?

LP: Everywhere—not just in the U.S.—the weakest link is definitely what I call “the good person who does a stupid thing.” People are rushing to complete their code to launch an app on time, for example, and they just hope that they're not going to make a critical mistake. But they don't make security a priority.

What can IT leaders do to deliver safe code and still meet business deadlines?

LP: Organizations that take security seriously code against standards and conduct developer-independent quality control checks. But the majority of companies don't pay attention to the problem; some will deliberately not even do security testing until the product is done. It's a cultural issue, and it starts from the top. Management has to be willing to wait a few weeks to make sure the product is secure.

What are some new or emerging cyber crimes?

LP: The use of phishing as a scam to collect data and people’s credentials is on the rise in every country that we study. It used to be easy to spot a fake email—the logo would be fuzzy and it would be riddled with spelling errors. But now the bad guys are very smart. They’ll send an email purportedly from your hospital, with the name of your doctor, for example. They may even mention a recent surgical procedure and ask for some information under the guise of making sure your prescriptions can be refilled. Once a criminal has your credentials, he or she can get inside your organization and start stealing vast amounts of sensitive information.

Another issue is that a lot of the malware that we're starting to see is so advanced that it often avoids detection. It could be dormant for long periods of time before an attack is initiated.

What about extortion? Take the fallout from the Ashley Madison hack—people were getting emails saying that they’d be outed to their spouses unless they paid up.

LP: This year we did have a few cases where the bad guys would steal information and then try extortion. They would contact the organization and basically say, “If you don't give us $25 million, we're going to post this to a website.” The bad guys that are committing these crimes are very sophisticated. They know that they can hunt for information that fits a certain category—classified, sensitive, top-secret—and it's a big deal.

A lot of companies don't want to share that experience because they think it might reflect poorly on them. But, by sharing threat intelligence and understanding what happened to company “X,” you could prevent that happening to your company, or at least be better prepared to deal with it. We're starting to see more sharing around some of these nasty attacks. But not enough yet.

What advice do you have to increase enterprise security?

LP: Make sure your ecosystem—your infrastructure—is secure, and make sure that everyone at the organization—not just the security experts—understands the basics of security. And, most importantly, if there's an issue that non-security people can’t answer, make sure they know who to call within the organization.

Setting up governance for security is vital. It shouldn't be after the fact. Make sure your security policy is strategically aligned with business objectives. This elevates the conversation: If you want to be seen as a leader in your organization, you want to be involved in strategy-setting.

And finally, focus on containment rather than prevention. If you try to have perfect prevention, you’ll pay nearly an infinite amount of money, and you’ll never get there.

Read the Ponemon 2015 Cost of Cyber Crime Study (reg. req’d) to find out more about the global state of cyber crime. You can also use our free Cyber Crime assessment tool today, which compares your readiness to Ponemon's findings. And read "How to keep your business from being a juicy target for cyber criminals" in HPE Matter for more information.


Join HPE Business Insights today

Become a member of HPE Business Insights community for IT leaders to get strategic insights delivered by email every other month as well as exclusive access to in-depth ebooks, webinars, and assessment tools.

Join now No, thanks!