Censys: The World of Attack Surface Management
"The direct cost of cybercrime is enormous," according to a new survey from Osterman Research. Despite this, the vast majority of organisations suffered some type of security breach during the 12 months preceding the survey.
The cost of cybercrime
Out of a total of 900 security professionals, only 27% reported no attacks of which respondents were aware of. As a result, the average global expenditure for remediating a single event was just under $290,000. However, this ranged from a low of $249,562 in the UK to a high of $429,133 in the United States. The greatest expenditure went to various software and hardware solutions used for recovery. In addition to this, companies spent a large amount on IT and other labour for remediation.
Overall, these solutions accounted for 60% of the recovery costs - although legal fees and fines also imposed a significant financial penalty. In terms of overall security budgets, the UK spent the largest proportion (17%) on remediation. The US spent the second largest proportion out of the countries interviewed at 14.7% of its total budget.
Threats that have impacted organisations
In the 12 months preceding the survey, the most common type of attack was phishing at 44%. Adware or spyware was the second most common attack at 41%, followed by ransomware at 26%. Spearphishing amounted to 20% of attacks, while accidental data breaches stood at 17%. International data breaches made up 9% of attacks, and nation-state and hacktivist attacks amounted to 2% each. Mid-market organisations (those with 500 to 999 employees) actually received slightly more phishing attacks than larger companies and significantly more than smaller firms.
It is therefore important to note that "as the size of the organisation increases, so does the likelihood of becoming a victim of cybercrime." The type of attack also differed greatly from country to country. In Germany, 63% of organisations considered ransomware as a “very serious” threat compared to just 30% of UK-based firms. In contrast, 43% of US-based companies considered nation-state attacks/APTs to be “very serious”, while 14% of Australian organisations said the same. Overall, the data revealed that German organisations take a much higher view of the seriousness of various types of security threats, while UK-based companies are, on balance, less concerned.