Cyber attacks are costing large Australian enterprises an average of $8.3 million a year, but the real costs could be much higher.

In a study sponsored by HP Enterprise Security, the US-based Ponemon Institute questioned 30 large Australian organisations on their experience with cyber attacks over a four-week period and extrapolated its findings to a full year. It found that each organisation was the victim, on average, of 1.6 successful attacks every week.

Ponemon calculated the average annual cost for organisations across all industry sectors at $4.3 million. Companies in the energy and utilities sector had the highest average cost at $8.3 million, while the retail sector had the lowest, at $1.4 million annually.

The study found business disruption was the largest component of the external cost of breaches, at 40 per cent of the total, followed by information loss at 29 per cent, and revenue loss at 25 per cent.

“Internally, cybercrime detection and recovery activities account for 53 per cent of total internal activity cost … followed by containment and investigation (20 per cent and 14 per cent, respectively),” the report said.

However James Turner, IT security industry analyst with IBRS, questioned whether such cost estimates reflect the true external or internal cost, particularly the human cost – the impact on staff.

“It really does depend on how far you want to measure, and whether you are measuring the right things. Does the cost of responding to a breach factor-in the lost opportunity cost of what else you could have been doing?” he said.

“I have yet to see a survey that factors in the psychological impact on the people within the organisation who are dealing with breaches. I think this is something everyone is going to become increasingly aware of.”

Mr Turner predicted that organisations could face compensation claims.

“These people are victims of crime. There will come a point when they’re going to say they have been traumatised, and that will create additional costs. I’ve spoken to people who were involved in a very significant attack and they said it had a very big impact on a couple of the team.”

Ponemon found that, on average, it took 23 days for an organisation to resolve a cyber attack, and Mr Turner said this would be a period of great stress for the personnel involved. “Security people are going to be working extra hours, and this is not the sort of problem that they will leave at the door when they go home.”

In addition, he said it was important to undertake thorough forensics investigations to understand how the attack had been made and to ensure that attacker had not left any backdoors for later use, but security personnel were often pressured to skip these.

“Forensics takes a long time and a lot of effort. You have to take systems offline. Unless there is any chance of prosecuting someone and getting money back most businesses will say: ‘I don’t care about the forensics, just get everything up and running’.”

Shane Bellos,general manager, Enterprise Security Products with HP South Pacific, said the study showed most organisations did not optimally spend their security budget, allocating the bulk to perimeter protection such as firewall and intrusion detection devices and too little to security intelligence technologies.

The study found that companies using security intelligence systems were able to deal with attacks more inexpensively than those that did not.

“Better network protection is not where people should be spending their limited security budgets,” Mr Bellos said.

“I would urge chief information officers, chief security officers and board members to read this report and ask the right questions: ‘Are we driving the right security strategy? Are we building the right security posture for our organisation?'”

On Thursday, Telstra released its first Cyber Security Report. Based on data gathered through its network, partners and on interviews, it found 41 per cent of organisations surveyed had experienced a major cyber security incident in the past three years.

It also found 45 per cent of internet security incidents were the result of staff clicking on malicious attachments or links within emails.

source: The Age