Cyber attacks on large US companies result in an average of $12.7 million in annual damages, an increase of 9.7 percent from the previous year, according to the fifth Cost of Cybercrime report published by the Ponemon Institute on Wednesday.

The report, sponsored this year by Hewlett Packard’s Enterprise Security division, found that business disruption and information loss account for nearly three-quarters of the cost of cybercrime incidents. The study also confirmed that companies that make security a priority have lower costs associated with security incidents during the year. In particular, companies that use technology that helps flag potential intrusions into critical systems have lower costs, by an average of $2.6 million.

“Business disruption, information loss and the time it takes to detect a breach collectively represented the highest cost to organizations experiencing a breach,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement.

The Ponemon Institute has conducted its cost of cybercrime survey annually for each of the past five years. The report suggests that companies are unaware of what is happening on their networks. The average company took 170 days to detect an attack and 31 days on average to resolve cyber attacks, with each day adding nearly $21,000 onto the cost of the attack. Attacks involving malicious insiders took the longest time—about two months—to resolve.

The cost of cybercrime varies with the size of the victims. While the Ponemon Institute focused on companies with greater than 1,000 employees, the largest firms had greater costs in dealing with the fallout from cyberattacks. Yet, smaller companies had higher damages per employee, paying an estimated $1,601 per worker, compared to $437 per worker for the largest companies.

Costs were highest for energy and utility companies and the financial industry.

In addition, companies of different sizes had to deal with different primary threats, according to the survey. The most expensive attack type for smaller companies was Web-based attacks, followed by the rogue gallery of viruses, worms, and trojans, and finally denial-of-service attacks. Large companies spent more on denial-of-service attacks than Web-based attacks and malicious code left by attackers.

Almost all companies surveyed had to deal with viruses, worms, and Trojan horses as well as malicious code used by attackers to compromise systems.