Ponemon Institute has released its 2014 Global Report on the Cost of Cyber Crime, based on regional Cost of Cyber Crime studies for 11 countries, including France, Germany and Italy. This post summarises the key findings of the European studies, and shows what you can do to protect yourself from cyber security risks using the international standard for best-practice information security management, ISO 27001. For more information on the findings, please refer to Ponemon Institute’s regional Cost of Cyber Crime studies.

France

Cyber crimes continue to be very costly for organisations. The mean annualised cost for the sampled organisations was €4.8 million, a 20.5% increase on last year.

The mean annualised cost for the sampled organisations was €4.8 million, a 20.5% increase on last year. Cyber crime cost varies by organisational size. Small organisations incur a significantly higher per capita cost than larger organisations (€2,834 versus €324).

Small organisations incur a significantly higher per capita cost than larger organisations (€2,834 versus €324). All industries fall victim to cyber crime, but to different degrees. Energy, utilities, financial services and technology organisations experience higher costs than media, public sector and retail organisations.

Energy, utilities, financial services and technology organisations experience higher costs than media, public sector and retail organisations. The most costly cyber crimes are those caused by viruses, worms and Trojans, malware, and web-based attacks. These account for 45% of all cyber crime costs per organisation annually.

These account for 45% of all cyber crime costs per organisation annually. Cyber attacks can get costly if not resolved quickly. The average time to resolve a cyber attack was 43 days, with an average cost to affected organisations of €561,553. Malicious insider attacks take on average more than 63 days to contain.

The average time to resolve a cyber attack was 43 days, with an average cost to affected organisations of €561,553. Malicious insider attacks take on average more than 63 days to contain. Business disruption represents the highest internal cost, followed by the costs associated with information loss. Business disruption accounts for 40% of total external costs. Information theft accounts for 32% of total external costs.

Business disruption accounts for 40% of total external costs. Information theft accounts for 32% of total external costs. Detection and recovery are the most costly internal activities. Recovery and detection account for 63% of internal costs.

Recovery and detection account for 63% of internal costs. Activities relating to IT security in the network layer receive the highest budget allocation.

Deployment of security intelligence systems makes a difference. Companies that use security intelligence technologies saved an average of €1.9 million compared to those that don’t.

Companies that use security intelligence technologies saved an average of €1.9 million compared to those that don’t. A strong security posture moderates the cost of cyber attacks. The more effective an organisation’s security, the lower the cost it incurs as the result of a cyber attack.

The more effective an organisation’s security, the lower the cost it incurs as the result of a cyber attack. Data loss prevention tools have a slightly higher return on investment than other technologies.

Deployment of enterprise security governance practices moderates the cost of cyber crime. Companies that achieve certification to industry-leading standards save an estimated €1.1 million on average.

Germany

Cyber crimes continue to be very costly for organisations. The mean annualised cost for the sampled organisations was €6.1 million, a 7% increase on last year.

The mean annualised cost for the sampled organisations was €6.1 million, a 7% increase on last year. Cyber crime cost varies by organisational size. Small organisations incur a significantly higher per capita cost than larger organisations (€1,354 versus €443).

Small organisations incur a significantly higher per capita cost than larger organisations (€1,354 versus €443). All industries fall victim to cyber crime, but to different degrees. Energy, utilities, financial services and technology organisations experience higher costs than media, hospitality and retail organisations.

Energy, utilities, financial services and technology organisations experience higher costs than media, hospitality and retail organisations. The most costly cyber crimes are those caused by phishing and social engineering, and web-based attacks. These account for more than 35% of all cyber crime costs per organisation annually.

These account for more than 35% of all cyber crime costs per organisation annually. Cyber attacks can get costly if not resolved quickly. The average time to resolve a cyber attack was 21 days, with an average cost to participating organisations of €358,074.Malicious insider attacks take on average more than 54 days to contain.

The average time to resolve a cyber attack was 21 days, with an average cost to participating organisations of €358,074.Malicious insider attacks take on average more than 54 days to contain. Information theft continues to represent the highest internal cost, followed by the costs associated with business disruption. Information theft accounts for 45% of total external costs. Business disruption accounts for 29% of total external costs.

Information theft accounts for 45% of total external costs. Business disruption accounts for 29% of total external costs. Containment and recovery are the most costly internal activities. Recovery and detection combined account for 37% of total internal costs.

Recovery and detection combined account for 37% of total internal costs. Activities relating to IT security in the network layer receive the highest budget allocation.

Deployment of security intelligence systems makes a difference. Companies that use security intelligence technologies saved an average of €2.4 million compared to those that don’t.

Companies that use security intelligence technologies saved an average of €2.4 million compared to those that don’t. A strong security posture moderates the cost of cyber attacks. The more effective an organisation’s security, the lower the cost it incurs as the result of a cyber attack.

The more effective an organisation’s security, the lower the cost it incurs as the result of a cyber attack. Companies deploying encryption technologies experienced a substantially higher ROI (at 23%) than all other technology categories represented.

Deployment of enterprise security governance practices moderates the cost of cyber crime. Companies that achieve certification to industry-leading standards save an estimated €481,514 on average.

Italy

The cost of data breaches increased. The cost per lost or stolen record rose from €95 in 2013 to €102 in 2014. The total organisational cost of a data breach rose from €1.73 million in 2013 to €1.93 million in 2014.

The cost per lost or stolen record rose from €95 in 2013 to €102 in 2014. The total organisational cost of a data breach rose from €1.73 million in 2013 to €1.93 million in 2014. Customers often terminated their relationship with the company that had a data breach. Customer losses following a data breach increased by an average of 6.8%. Pharmaceutical, financial and service organisations were more susceptible to high customer losses, hence their higher data breach costs.

Customer losses following a data breach increased by an average of 6.8%. Pharmaceutical, financial and service organisations were more susceptible to high customer losses, hence their higher data breach costs. Negligence and malicious or criminal attacks were the primary root causes of data breach for Italian companies. 35% of organisations cite negligent employees or contractors as the main cause of data loss, 35% blame malicious attacks, and 30% blame system and business process failures.

35% of organisations cite negligent employees or contractors as the main cause of data loss, 35% blame malicious attacks, and 30% blame system and business process failures. Detection and escalation costs increased. Detection and escalation costs rose from €620,000 in 2013 to €670,000 in 2014. Organisations are advised to assess what processes and technologies are needed.

Detection and escalation costs rose from €620,000 in 2013 to €670,000 in 2014. Organisations are advised to assess what processes and technologies are needed. Local business costs continued to grow substantially. On average, the cost of lost business increased from €601,000 in 2013 to €709,000 in 2014.

On average, the cost of lost business increased from €601,000 in 2013 to €709,000 in 2014. Certain factors decreased data breach costs. Organisations with incident response plans, business continuity plans and strong security postures and those that employ CISOs and engage consultants all experienced cost savings.

Organisations with incident response plans, business continuity plans and strong security postures and those that employ CISOs and engage consultants all experienced cost savings. Certain factors increased data breach costs. Organisations suffering breaches caused by third parties, those that had devices lost or stolen, and those that were quick to notify the appropriate personnel of data breaches all experienced an increase in overall costs.

Organisations suffering breaches caused by third parties, those that had devices lost or stolen, and those that were quick to notify the appropriate personnel of data breaches all experienced an increase in overall costs. Notification costs declined. The average cost of notifying appropriate personnel fell from €0.056 million in 2013 to €0.039 million in 2014.

ISO 27001

ISO 27001 is the international standard that sets out the specifications of an information security management system (ISMS). An ISO 27001-compliant ISMS provides a holistic approach to information security, encompassing people, processes and technology. Certification to the Standard will reassure your clients and stakeholders that you are following international best practices and, as the Ponemon Institute studies summarised above have found, will create considerable cost savings by preparing you for information security incidents.

IT Governance has created four packaged solutions that will enable you to implement ISO 27001 at a speed and budget that is appropriate for your individual needs and preferred project approach. Each fixed-price solution is a combination of products and services that can be accessed online and deployed by any company in the world.

On special offer this month, the Get A Little Help package contains the core ISO27001 standards, two guidance manuals, implementation tools and access to our live online training.

If you want further information on information security and ISO27001, download our free green paper here.