What’s the financial cost of cyberattacks to business?

A new report sheds light on the financial costs of cyberattacks, as malware and malicious insiders play an increasingly damaging role.
7 March 2019

The costs of an attack mount up quickly. Source: Shutterstock

We often hear scare stories about just how much a cyberattack would cost our businesses besides, of course, the damage to reputations and loss of valuable data.

A new report by management consultancy firm Accenture, in coordination with Ponemon Institute, sheds some light on the financial clout of such an attack— as the cost to companies from malware and “malicious insider”-related attacks jumped 12 percent in 2018.

Based on interviews with more than 2,600 security and IT professionals at 355 organizations worldwide, the 2019 Cost of Cybercrime Study revealed that malware cost more than US$2.6 million per company, on average, per year— a hike of 11 percent.

Meanwhile, costs due to malicious insiders — defined as employees, temporary staff, contractors and business partners — jumped 15 percent, to an average of US$1.6 million per organization.

Combined these two types of cyberattacks accounted for one-third of the total US$13.0 million cost to companies, on average, from cybercrime in 2018— an increase of US$1.3 million in the past year.

Similarly, the cost to companies from phishing and from social engineering increased to US$1.4 million per organization, on average.

Costs were based on how much an organization spends to discover, investigate, contain and recover from cyberattacks over a four-consecutive-week period, as well as expenditures that result in after-the-fact activities.

That includes incident-response activities designed to prevent similar attacks— and efforts to reduce business disruption and the loss of customers.

“From people to data to technologies, every aspect of a business invites risk and too often security teams are not closely involved with securing new innovations,” said Kelly Bissell, Senior Managing Director of Accenture Security.

“This siloed approach is bad for business and can result in poor accountability across the organization, as well as a sense that security isn’t everyone’s responsibility.

“Our study makes it clear that it’s time for a more holistic, proactive and preventative approach to cyber risk management involving full business engagement across the entire ecosystem of partners.”

Companies in the US experienced the greatest increase in costs due to cybercrime in 2018, at 29 percent, with a cost of US$27.4 million per company, on average — at least double that of companies in any other country surveyed.

Japan was the next highest, at US$13.6 million, followed by Germany, at US$13.1 million, and the UK, at US$11.5 million. The countries with the lowest total average costs per company were Brazil and Australia, at US$7.2 million and US$6.8 million, respectively.

“Increased awareness of people-based threats and adopting breakthrough security technologies are the best way to protect against the range of cyber risks,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

“Our report not only illustrates our joint commitment with Accenture to keep security professionals informed about the nature and extent of cyberattacks but also offers practical advice for companies to improve cybersecurity efforts going forward.”

Other notable findings of the study include:

  • In 2018, surveyed companies each recorded an average of 145 cyberattacks — resulting in the infiltration of a company’s core networks or enterprise systems — an 11 percent increase over 2017 and 67 percent higher than five years ago.
  • Malware is the most expensive type of attack, costing companies US$2.6 million, on average, followed by web-based attacks, at US$2.3 million.
  • The number of organizations experiencing ransomware attacks increased by 15 percent in 2018, with the costs increasing 21 percent, to approximately US$650,000 per company, on average. The number of ransomware attacks more than tripled in the past two years.  
  • Six in seven companies (85 percent) experienced phishing and social engineering cyberattacks in 2018 — a 16 percent increase over 2017 — and three-quarters (76 percent) suffered web-based attacks.
  • Automation, orchestration and machine-learning technologies were deployed by only 28 percent of organizations — the lowest of the technologies surveyed — yet provided the second-highest cost savings for security technologies overall, at US$2.9 million.