author photo
By Dr. Larry Ponemon
Thu | Feb 9, 2017 | 8:11 AM PST

Is the fear of a costly cyber attack causing your company to reconsider potentially risky but financially lucrative changes in business strategy and innovation? For example, is your senior leadership reconsidering taking on a new supplier or business partner, making an overseas acquisition, releasing a new customer-facing application or reorganizing operations to achieve greater efficiencies because such decisions could make the company more vulnerable to cyber attacks?

The recently released 2016 Cost of Cyber Crime Study & the Risk of Business Innovation, sponsored by Hewlett Packard Enterprise, focused on the importance of thriving and innovating while simultaneously reducing the financial and reputational consequences of a cyber attack. What we determined was that a high security profile, as determined by the deployment of specific practices and technologies, will support business innovation and actually reduce the cost of cyber crime.

For purposes of this study, we define cyber attacks as criminal activity conducted via the Internet. These attacks can include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure. In this year’s study of six countries[1] the average cost of a cyber attack for the companies represented was $9.5 million, representing a 21 percent net increase in the total cost over the past year.

There are nine characteristics of innovative and cyber secure organizations

Through our interviews with both senior-level security executives and those in the trenches, we were able to see a common thread in what characterizes organizations that took on ambitious and innovative projects but were able to minimize the financial and reputational consequences of a cyber attack. These nine characteristics are listed below.

  1. Security posture  Overall, these organizations, prior to engaging in new business opportunities and changes in operations, assess potential security risks in order to improve their security posture. This includes the persistent use of security technologies such as advanced access management systems, extensive deployment of encryption technologies and enterprise deployment of GRC tools.
  1. Information management  Information loss is now the biggest financial impact of a cyber attack. Consequently, organizations with advanced backup and recovery were able to reduce the impact and ensure business continuity and data protection.
  1. Information governance  These companies deploy advanced procedures for backup and recovery operations, share threat intelligence, collaborate with industry partners on security issues and integrate security operations with enterprise risk management activities.
  1. Data protection  These organizations make investing in technologies and processes that reduce information loss a priority because they understand it is the most costly cyber attack to remediate. They are also shifting budget to the application and data layers rather than the network layers, to fortify the areas most vulnerable to information loss.
  1. Application security  Prior to the launch of customer-facing applications, these organizations do not rush to release. They ensure the necessary security is built into the applications and vulnerabilities are addressed. These companies use several application security controls such as penetration testing, security patch management and dynamic and static scanning.
  1. Detection and recovery  To reduce the time to determine the root cause of the attack and control the costs associated with a lengthy time to detect and contain the attack, these organizations are increasing their investment in technologies to help facilitate the detection process.
  1. Third-party risk  These organizations are able to reduce the risk of taking on a significant new supplier or partner by conducting thorough audits and assessments of the third party’s data protection practices.
  1. Insider threat  A possible negative consequence of reorganization or acquisition of a new company can be disgruntled or negligent employees. These organizations ensure processes and technologies are in place to manage end user access to sensitive information. Further, there are training and awareness programs in place to address risks to sensitive data caused by changes in organizational structure and new communication channels.
  1. SIEM  These companies deploy advanced security information and event management (SIEM) with features such as the ability to monitor and correlate events in real-time to detect critical threats and detect unknown threats through user behavior analytics.

Key takeaways from this study:

Information loss or theft is now the most expensive consequence of a cyber crime. In this research we look at four primary consequences of a cyber attack: business disruptions, loss of information, loss of revenue and damage to equipment. The largest cost impact from cyber crime is information loss (an average of 39 percent) followed by business disruption at 36 percent.

Applying information management and governance practices reduces the cost of cyber crime. While only 39 percent of companies represented in this research reported they deploy advance backup and recovery operations, its use reduced the average cost of cyber crime by nearly $2 million. Similarly, only 28 percent of companies reported having a formal information governance program and this was shown to reduce the cost of cyber crime by nearly $1 million.

Certain technologies enable a high level of information management and governance. The persistent use of security technologies such as advanced access management systems (49 percent of companies), extensive deployment of encryption technologies (46 percent of companies) and enterprise deployment of encryption technologies (41 percent of companies) were shown to reduce the cost of cyber crime. Companies in this study that relied on seven of the listed security tools, saw the cost of cyber crime reduced by an average of $3 million.

Business innovation impacts the cost of cyber crime and certain innovations are costlier. The acquisition or divestiture of a company was shown to increase the cost of cyber crime by 20 percent, and the launch of a significant new customer-facing application increased the cost by 18 percent. In addition, costlier attacks resulted when there was more innovation. Companies that engaged in more than five different sets of innovation experienced a cost of cyber crime greater than the $9.5 million average.

A strong security profile enabled companies to innovate and control the cost of cyber crime. Although business innovation puts companies at risk for costlier cyber attacks, companies with a high security profile can decrease the cost of cyber crime when the risk of cyber attacks increases due to innovation. In this research, innovative companies that self-reported a high security profile had an average $7.9 million cost of cyber crime, considerably lower than the average cost.

Companies that used application security controls reduced the cost of cyber crime. In this study, we asked companies to indicate the application security controls used. We found that if companies deployed between eight and nine of the application controls included, they saved almost $2 million on total cyber crime cost. If only one to three controls are used, the cost increases by an average of $2 million. Building security into application and data protection in addition to a layered approach with multiple tools can reduce the risk. Dynamic testing, static testing and run-time application self-protection were also shown to reduce costs and support innovation.

The persistent use of advanced SIEM resulted in an average savings of $2.77 million. Despite the findings that the use of advanced SIEM features resulted in an average savings of nearly $3 million, our research revealed that most SIEM features are not widely deployed. These are the ability to monitor and correlate events in real-time to detect critical threats (only 35 percent of organizations) and to detect unknown threats through user behavior analytics (only 33 percent of organizations).

The moral of the story is that while cyber threats are not going away, neither should your company’s ability to grow and prosper. We hope you will find this research helpful. Please download our report.


[1] Our benchmark study conducted 1,278 interviews in 237 companies in the following countries: United States, United Kingdom, Germany, Australia, Japan, and Brazil.