Grasping the estimated cost of cybercrime: how recovery can cost US$5 million

• The estimated cost of cybercrime for businesses averages US$5.34 million annually in recovery expenses.
• Fewer than half of IT security professionals feel effective in risk mitigation.
• The rise of generative AI-powered attacks and prevalent ransomware incidents emphasize the complexity and urgency of cybersecurity threats.

IT security professionals are overwhelmed by the onslaught of daily cyberattacks worldwide, and they’re well justified in feeling that way. In the first three quarters of 2023, the Identity Theft Resource Center identified a record 2,116 data compromises, surpassing the previous peak in 2021. A case in point is CareSource, a healthcare plan provider now embroiled in lawsuits due to a data breach affecting over three million people. Despite quickly patching a vulnerability within a day of notification, the breach underscores the critical nature of these threats.

So what is the estimated cost of cybercrime – and how do you go about calculating it?

Calculating the financial toll of data breaches is naturally a complex task, influenced by various factors – scope of attack, speed of detection, speed of mitigation, and others. But the associated costs of a breach are notably high, as a newly commissioned survey from the Ponemon Institute shows. The report, commissioned by Barracuda Networks, indicates that small to medium-sized enterprises could incur over US$5 million in average annual recovery costs from cyberattacks, including damages to IT assets, theft, and operational disruptions. This survey offers insights into the economic impact of today’s cybersecurity threats, termed ‘cybernomics.’

Barracuda’s Cybernomics 101 report, based on nearly 2000 responses from IT security practitioners across APAC, the US, and EMEA, explores the financial dynamics and motivations behind cyberattacks. The respondents, managing their organization’s IT security functions, provide a comprehensive overview of the financial forces shaping today’s cyberthreat landscape.

The study reveals that medium-sized enterprises, with employee numbers ranging from 100 to 5,000, face an average annual cost of US$5.34 million to recover from cyber-incidents like successful ransomware or phishing attacks. This figure encompasses expenses related to IT asset damage, theft, and operational disruptions caused by these attacks.

The business nature of cyberattacks in 2023

The survey highlights the business nature of cyberattacks, indicating a lucrative year for attackers in 2023. Respondents from a broad spectrum of industries and company sizes shared insights on the financial impacts of security compromises, including ransomware and phishing incidents. The focus was on costs stemming from data, applications, IT infrastructure compromises, and associated direct cash expenditures, labor costs, overheads, and lost business opportunities.

Barracuda’s findings on the estimated cost of cybercrime include the average cost associated with IT asset damage or theft and subsequent technical support, which is US$2.98 million. This encompasses forensic investigations, incident response, help desk, and customer service operations expenses. Additionally, the average cost of operational disruptions, including revenue loss from system downtime and performance delays, is US$2.36 million, factoring in the cost of idle time and productivity loss.

Despite understanding the severity of the threats they encounter daily, less than half (43%) of the surveyed IT security professionals rate their ability to mitigate risks, vulnerabilities, and attacks across their enterprises as very or highly effective.

Several factors contribute to this widespread sense of unpreparedness among most IT security professionals. A key issue is insufficient IT security budgets, which 55% of respondents cite as a concern. Additionally, 42% point to the lack of uniform security policies and programs across the enterprise. About 38% highlight the absence of a comprehensive inventory of third parties with access to sensitive and confidential data. Poor or nonexistent visibility into the organization’s networks and applications is a problem for 37% of respondents. Securing the supply chain presents challenges for 32%, while inadequate support from senior leadership compounds these issues.

Specifically, 25% of respondents feel that management teams do not perceive cyberattacks as a significant risk, and 19% report that senior management does not receive regular updates on their organizations’ various threats.

Incident response plans are critical for guiding security teams through managing and resolving incidents from a tactical standpoint- and for reducing the average estimated cost of any cybercrime incident. While 90% of respondents report having a security incident response plan, only half say it is consistently applied throughout the organization. The remainder report inconsistent, ad hoc application, or no application at all.

Moreover, even among organizations with an incident response plan, most test it only each quarter or twice a year, if they test it at all.

The report also examines the emerging security challenges posed by generative AI technology, highlighting concerns over its potential to increase the volume and sophistication of cyberattacks. Half of the security professionals surveyed (50%) believe AI will enable more frequent attacks, and only 39% feel their security infrastructure is prepared to counter GenAI-powered attacks.

Ransomware and the estimated cost of this cybercrime

In term of ransomware, the study found that most respondents (71%) had experienced such attacks in the past year, with 61% paying the ransom. The average highest ransom paid is US$1.38 million. Additionally, 92% reported an average of six credential compromises due to phishing or email-based threats in the past 12 months, often leading to sensitive information loss or lawsuits.

Another significant financial impact is the time IT staff spend on remediation, averaging 427 hours per staff member for investigating, cleaning, fixing, and documenting attacks. Based on an hourly rate of US$72.00, the cost per staff member averages US$30,744, totaling US$153,720 annually for a five-member team. If outsourced to a managed security service provider (MSSP), the average time spent is 504 hours.

These findings align with Barracuda’s other research reports. The 2023 Email Security Trends report indicates that 75% of surveyed organizations suffered a successful email attack in the previous 12 months, with an average cost of about US$1 million. The 2023 Spear-phishing Trends report highlights a higher cost impact for organizations experiencing spear-phishing attacks, averaging US$1.1 million for the most expensive attack compared to US$760,882 for victims of other email-based attacks.

The report also acknowledges ‘High Performers,’ a subset of respondents demonstrating effective security measures for mitigating risks. These measures include adopting a platform-based security approach, implementing privileged access rights, and regularly rehearsing security incident response plans. Fleming Shi, CTO of Barracuda, emphasizes the importance of proactive monitoring and attack detection to mitigate the impact and cost of incidents.

Mark Lukie, director of solution architects at Barracuda APAC, highlights the significant impact of cyberattacks and the importance of cyber-resilience, especially with technological advancements like generative AI being potentially harnessed by cybercriminals. He warns of the continuous threat cycle, emphasizing the need for businesses to be aware of best practices outlined in the report to reduce the impact of these attacks.

Lukie stresses that staying informed and implementing effective security measures can give organizations a crucial advantage in combating the evolving cyberthreat landscape.

Cybercrime exploded in the pandemic and immediately post-pandemic era. But what does it cost?

---

---

---