Organisations are spending 22.7 per cent more on cyber security this year than they did last year, according to the 2017 Cost of Cyber Crime Study from the Ponemon Institute and Accenture.
Cyber crime now costs businesses an average of $11.7 million (£8.8 million), up from $9.5 million the previous year. However, not all industries suffer the same level of financial loss, with this figure rising to an average of more than $17 million for businesses in the financial services and energy and utilities sectors.
The UK experienced a rise of 21.2 per cent in cyber crime costs between 2016 and 2017. This was the lowest change, with Germany recording a 42.4 per cent increase, the highest of all nations evaluated.
In the UK, malware is the most common form of cyber threat, making up 18 per cent of all attacks. Web-based attacks are the second most common form (17 per cent), while denial of services hacks are the third most prevalent (15 per cent).
Meanwhile, according to the research, the number of successful breaches a year per company has risen by more than 27 per cent in the last year, from an average of 102 to 130, with ransomware attacks alone having doubled in frequency. These attacks rose from 13 per cent to 27 per cent, with incidents like WannaCry and Petya affecting thousands of targets and disrupting public services and large corporations across the world, including the UK’s NHS.
Cyber criminals have also been found to be evolving new business models, such as ransomware as a service, which means that attackers are finding it easier to scale cyber crime globally.
Among the organisations studied for the report, information loss comprised the largest cyber crime cost component, with a rise from 35 per cent in 2015 to 43 per cent in 2017. The report authors said it is “this threat landscape that demands organisations re-examine their investment priorities to keep pace with these more sophisticated and highly motivated attacks”.
The report found that spending on governance, risk and compliance (GRC) technologies is not a guaranteed fast track to better security. It revealed that enterprise-wide deployment of GRC technology and automated policy management showed the lowest effectiveness in reducing cyber crime costs (nine per cent and seven per cent respectively) out of nine enabling security technologies.
According to the report, despite compliance technology still being important, organisations should ensure they are spending to an appropriate level in order to achieve the required capability and effectiveness, which then enables them to “free up funds for breakthrough innovations”.
In terms of the time taken to resolve cyber attacks, it takes businesses an average of 50 days to resolve a malicious insider attack, while it takes 23 days to resolve a ransomware attack.