The Ponemon Institute recently published the First Annual Cost of Cyber Crime Study. Download here. The study was conducted by Ponemon, an independent research group with a focus on privacy and data protection, and ArcSight, a security and compliance management provider. The study involved a benchmark cost analysis of 45 different companies ranging from 500 employees to over 100,000.
Here are the significant points from the executive summary:
- The median cost of cyber crimes for the 45 organizations was $3.8 million per year (ranging from $1 million to $52 million)
- Cyber attacks are the most common occurence
- The most costly attacks (amounting to 90% of the attacks) are web attacks, malicious code, and malicious insiders
- The companies in the study were experiencing 50 successful attacks per week
- Average number of days to address a cyber attack was 14 days, with insider attacks taking more than a month
- Costs for company compliance depended greatly on the level of security programs at each company
The study defined cyber attack as any criminal activity conducted via the Internet, including theft of intellectual property, confiscating online information and accounts, distributing viruses, and disclosure of confidential information. The study referred to some well publicized cases of cyber attack, such as TJX companies, which I posted about on this blog previously.
What should you do if you or your Connecticut business has been a victim of cyber attack?
- Act quickly. Responding quickly to a cyber attack is essential. Hopefully, your business has developed a data loss and privacy plan that will address the steps your business should take in response to a cyber attack. There should be a dedicated response team and protocal for any such event.
- Determine whether notification is necessary. Depending on the nature of the attack and the information compromised, notification of consumers, customers, or governmental authorities may be required.
- Consult a privacy attorney and business litigation attorney to determine what legal steps might be taken to address the attack. For example, if there was an identifiable person or group responsible, such as an insider or a competitor, there may be criminal or civil remedies for computer crimes that provide for the recovery of damages.
- Determine if insurance is available to cover the damages from the cyber attack. See some of my prior posts on insurance to address data loss and security breach. Also, read this article by Tom Risen of the National Journal that summarizes the potential solutions that insurers offer to businesses in the United States.
Although the Ponemon study involved large companies, many experts in the field suspect that small business are equally, if not more, exposed to cyber attacks. Therefore, regardless of the size of your company, it is a good idea to have a risk management audit to determine your company’s ability to respond to a cyber attack. Advanced planning is critical to mitigating damages from cyber attacks.