HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ponemon 2015 Cost of Cyber Crime Study Published

The Ponemon Institute has published its 6th Annual Cost of Cyber Crime Study.  Each year the organization assesses the financial impact of cyber crime and data breaches caused by hackers and other criminals. This year’s data show the cost of dealing with data breaches and cyberattacks has risen substantially, with the average cost of remediation following a criminal attack now having risen to $15 million in the United States. Globally, the cost of dealing with attacks ranged from $1.9 million to $65 million.

The Ponemon Institute partnered with HP for the study, which assessed the cost of cyberattacks affecting both the public and private sector in seven countries around the world (U.S., U.K., Germany, Japan, Brazil, the Russian Federation and Australia.)  In addition to estimating the cost of crime, the study also offers some insight into how organizations can deal with the threat of attack, and minimize the financial impact when criminals strike.


Cost of Cyber Crime has Increased 20% Year on Year


Ponemon/HP determined that the cost of cyber crime has risen 20% year on year, with this year’s figures representing an increase of 82% from 2010 when the first study was conducted. The complexity of the attacks has increased over the past 6 years, and organizations now have to spend longer dealing with the after effects of criminal attacks. It now takes an average of 46 days to resolve a data breach, 30% longer than in 2010.

In the U.S., companies have invested heavily in robust cybersecurity defenses, such as advanced intrusion detection systems. Those investments have had a positive impact, and have been shown to significantly reduce the costs of dealing with cyber crime, as well as reducing the time it takes to respond to an attack.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Sue Barsamian, senior vice president and general manager of HP Enterprise Security Products, explained that over the years the attack surface has increased substantially as organizations introduce new technologies and take advantage of the Internet of Things, mobile technology and cloud services. The risks of attack have increased significantly as a result, and organizations have had to invest more heavily in defenses to address those security risks.

She pointed out that 6 years ago, standard defenses were primarily network and perimeter management controls, but now additional defenses are required. Organizations must also implement a number of measures to protect applications and interactions among users. Further protections are also required to safeguard stored and transmitted data.

Security Budgets have Increased 33% over the Past 2 Years


These additional protections have seen the cost of securing networks, devices and data rise substantially. The study suggests that as much as 20% of the security budget is now being diverted to securing the application layer. Security budgets have similarly been increased. Data security measures are now costing organizations 33% more than two years ago.

Perhaps unsurprisingly, the cost of dealing with cyber crime and associated data breaches increases with the size of an organization. Larger organizations hold greater volumes of data, and the cost of remediation – victim notifications, credit monitoring services, identity theft protection etc. – naturally increases with a greater victim count. However, smaller organizations were shown to have higher per capita costs.

DoS Attacks, Malicious Insider and Outsider Attacks are the Most Costly


Malicious insiders, malicious outsiders and DoS attacks cost the most to deal with, while attacks by malicious insiders were found to take the longest to resolve. Organizations spent an average of 63 days dealing with insider attacks, compared to an average of 46 days for all forms of attack by cybercriminals.

Data theft resulted in the highest costs, accounting for 42% of the total external costs. 36% of external costs came as a result of disruption to the business and/or lost productivity. The biggest internal costs were detection and recovery.

Investment in Security Intelligence Technologies Significantly Reduces the Cost of Cyber Crime


When investment is made in encryption technologies, or security systems to protect against data loss, the cost of cyber crime was significantly reduced.  The initial cost of security intelligence technologies may be high, but in the long run the study shows the investment really does pay off.

The study showed that the use of data encryption technologies reduced the costs otherwise incurred by 57%. Access governance tools reduced costs by 45%, data loss prevention technologies by 38% and policy management tools by 36%.

A Security Information and Event Management System (SIEM) resulted in an average annual cost saving of $3.7 million, comparing companies using SIEM to those that did not. Investing in people was also important. When certified security personnel were employed to protect an organization from criminal attacks, an average of $2.8 million was saved each year. A high level security leader saved companies around $2 million per annum.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, announced the results of the Cost of Cyber Crime Study, and explained, “Understanding of the financial impact [of cyber crime] can help organizations determine the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack,” He went on to say, “the return on investment for organizations deploying security intelligence systems, such as SIEM, realized an average annual cost savings of nearly $4 million – showcasing the ability to minimize impact by more efficiently detecting and containing cyber-attacks.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.