1、NINTH ANNUAL COST OF CYBERCRIME STUDYUNLOCKING THE VALUE OF IMPROVED CYBERSECURITY PROTECTIONIndependently conducted by Ponemon Institute LLC and jointly developed by Accenture THE COST OF CYBERCRIMECONTENTSForeword 4The Cybercrime Evolution 6 Nation-state,Supply Chain and Information Threats 6 New
2、Risks from Innovation and Growth 8 Humans Are Still the Weakest Link 9Benchmarking Cybersecurity Investment 10 More Attacks and Higher Costs 10 The Value at Risk from Cybercrime 14 Assessing Levels of Investment 15Improving Cybersecurity Protection 17 Every Type of Attack Is More Expensive 17 The Im
3、pact of Cyberattacks Is Rising 18 Targeted Investments Tackle Cybercrime 21 Security Technologies Can Make a Difference 24Unlocking Cybersecurity Value 27 Three Steps to Unlock Cybersecurity Value 27About the Research 30 Frequently Asked Questions 30 Framework 32 Benchmarking 36 Sample 38 Limitation
4、s 41Contact Us 44The ninth annual cost of cybercrime study helps to quantify the economic cost of cyberattacks by analyzing trends in malicious activities over time.By better understanding the impact associated with cybercrime,organizations can determine the right amount of investment in cybersecuri
5、ty.Looking back at the costs of cybercrime to date is helpfulbut looking forward,so that business leaders know how to best target their funds and resources,is even more beneficial.This report does just that.By understanding where they can achieve value in their cybersecurity efforts,business leaders
6、 can minimize the consequencesand even preventfuture attacks.OUR STUDY HELPS ORGANIZATIONS TO ADDRESS ONE OF SECURITYS BURNING PLATFORMS.WE REVEAL HOW IMPROVING CYBERSECURITY PROTECTION CAN REDUCE THE COST OF CYBERCRIME AND OPEN UP NEW REVENUE OPPORTUNITIES TO UNLOCK ECONOMIC VALUE.FOREWORDKelly Bis
7、sell Global Managing Director Accenture Security Larry Ponemon Chairman and Founder Ponemon Institute researchponemon.orgWe are delighted to share with you this ninth edition of the Cost of Cybercrime study.Our extensive research includes in-depth interviews from more than 2,600 senior security prof
8、essionals at 355 organizations.Inside,you will find insights that are relevant to security professionals and business leaders to help us all better protect our organizations.We believe these findings,together with our experience and recommendations,can help executives to innovate safely and grow wit
9、h confidence.As industries evolve and disrupt the current environment,threats are dramatically expanding while becoming more complex.This requires more security innovation to protect company ecosystems.The subsequent cost to our organizations and economies is substantial and growing.My team and I ar
10、e always on hand to discuss what the latest trends mean to your business.Read on to find out what it is taking to protect your organization today and how you can convert your cybersecurity strategy to achieve greater value for tomorrow.Once again,the Ponemon Institute is delighted to work with Accen
11、ture Security on this comprehensive Cost of Cybercrime Study.From a relatively modest start,we have now grown the scope of our research to include 11 countries and 16 industry sectors.We have extended our research timeline,too.This year,we have collaborated with Accenture to model the financial impa
12、ct of cybercrime across these industries over the next five yearsto get a better understanding of how cybersecurity strategies can make a difference in the future.We feel sure that this report will be a useful guide as you attempt to navigate the cyber threatscape.We know that our work is being acti
13、vely used today by prestigious organizations,such as the World Economic Forum and the United States Government,to help shape defenses.The Ponemon Institute is proud to team with Accenture to produce these research findings.We believe this report not only illustrates our joint commitment to keeping y
14、ou informed about the nature and extent of cyberattacks,but also offers you practical advice to improve your cybersecurity efforts going forward.4 9TH ANNUAL COST OF CYBERCRIME STUDYFEW ORGANIZATIONS WOULD RESIST THE CHANCE TO REDUCE THEIR OVERALL COST OF CYBERCRIME.WHAT IF THEY COULD ALSO OPEN UP N
15、EW REVENUE OPPORTUNITIES AT THE SAME TIME?Our 2019 Cost of Cybercrime study,now in its ninth year,offers that enticing prospect.In this report we show how better protection from people-based attacks,placing a priority on limiting information loss,and adopting breakthrough security technologies can h
16、elp to make a difference.THE CYBERCRIME EVOLUTIONThe 2019 Cost of Cybercrime study combines research across 11 countries in 16 industries.We interviewed 2,647 senior leaders from 355 companies and drew on the experience and expertise of Accenture Security to examine the economic impact of cyberattac
17、ks.In an ever-changing digital landscape,it is vital to keep pace with the trends in cyber threats.We found that cyberattacks are changing due to:Evolving targets:Information theft is the most expensive and fastest rising consequence of cybercrimebut data is not the only target.Core systems,such as
18、industrial control systems,are being hacked in a powerful move to disrupt and destroy.Evolving impact:While data remains a target,theft is not always the outcome.A new wave of cyberattacks sees data no longer simply being copied but being destroyedor changedwhich breeds distrust.Attacking data integ
19、rity is the next frontier.Evolving techniques:Cybercriminals are adapting their attack methods.They are using the human layerthe weakest linkas a path to attacks,through increased phishing and malicious insiders.Other techniques,such as those employed by nation-state attacks to target commercial bus
20、inesses,are changing the nature of recovery,with insurance companies trying to classify cyberattacks as an“act of war”issue.Lets take a closer look at the challenges we face as cybercrime evolves:NATION-STATE,SUPPLY CHAIN,AND INFORMATION THREATSOrganizations of all sizes,geographic locations and ind
21、ustries globally have been plagued by the financial,reputational and regulatory 6 9TH ANNUAL COST OF CYBERCRIME STUDYconsequences of cybercrime.In the last year,we saw a significant rise in economic espionage,such as the theft of high-value intellectual property by nation-states.In the Accenture 201
22、8 Threatscape Report1 we highlighted the emergence of nation-state activity,such as Iran-based threat actors.Iranian threat groups associated with the regime are likely to continue to grow their malicious activities and capabilities in the foreseeable future.The increased repurposing of popular malw
23、are by Iranian-based threat actors could lead to the use of ransomware for destructive purposes by state-sponsored organizations.Extended supply chain threats are also challenging organizations broader business ecosystem.Cyberattackers have slowly shifted their attack patterns to exploit third-and f
24、ourth-party supply chain partner environments to gain entry to target systemsincluding industries with mature cybersecurity standards,frameworks,and regulations.New regulations aim to hold organizations and their executives more accountable in the protection of information assets and IT infrastructu
25、re.The General Data Protection Regulation(GDPR)came into force on May 25,2018 with potential fines up to US$23 million(20 million)or four percent of annual global revenues.The French data regulator(CNIL)issued the largest Information theft is the most expensive and fastest rising consequence of cybe
26、rcrime.THE CYBERCRIME EVOLUTION1.Cyber Threatscape Report 2018,Midyear Cybersecurity Review,Accenture.https:/ 9TH ANNUAL COST OF CYBERCRIME STUDYTHE CYBERCRIME EVOLUTIONGDPR fine so farUS$57 million(50 million).Similar regulations,such as the California Consumer Privacy Act(CCPA),impose smaller fine
27、s(US$7,500 per violation)but highlight the increasing regulatory risks for businesses globally.NEW RISKS FROM INNOVATION AND GROWTHAccording to the Accenture report“Securing the Digital Economy,”2 businesses have never been more dependent on the digital economy and the Internet for growth.Fewer than
28、 one in four companies relied on the Internet for their business operations 10 years ago;now,it is 100 percent.A trustworthy digital economy is critical to their organizations future growth according to 90 percent of business leadersbut the drive for digital innovation is introducing new risks.While
29、 Internet dependency and the digital economy are flourishing,68 percent of business leaders said their cybersecurity risks are also increasing.Almost 80 percent of organizations are introducing digitally fueled innovation faster than their ability to secure it against cyberattackers.No wonder,then,t
30、hat cyberattacks and data fraud or theft are now two of the top five risks CEOs are most likely to face according to the latest World Economic Forum report on global risks.3Training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets.2.Securing
31、the digital economy,Accenture.https:/ 3.WEF Global Risks Report 2019.http:/www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf8 9TH ANNUAL COST OF CYBERCRIME STUDYHUMANS ARE STILL THE WEAKEST LINKWhether by accident or intent,many employees are often the root cause of successful cyberattacks.Exec
32、utives polled in the Accenture 2018 State of Cyber Resilience survey identified the accidental publication of confidential information by employees and insider attacks as having the greatest impact,second only to hacker attacks in successfully breaching their organizations.4Today,the security functi
33、on is largely centralized and its staff are rarely included when new products,services,and processesall of which involve some sort of cyber riskare being developed.Such a siloed approach can result in a lack of accountability across the organization and a sense that security is not everyones respons
34、ibility.Only 16 percent of CISOs said employees in their organizations are held accountable for cybersecurity today.Providing ongoing training and skill reinforcementfor instance,with phishing testsis essential,alongside training and education.Employees need the tools and incentives to help them to
35、define and address risks.New work arrangementsgreater use of contractors and remote workmake the need for employee training more urgent.Even so,training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets.5To embed cybersecurity into the fabric
36、of the organization and be effective against any insider threats,organizations must bring together human resources,learning and development,legal and IT teams to work closely with the security office and business units.THE CYBERCRIME EVOLUTION4.2018 State of Cyber Resilience,Accenture.https:/ Awaren
37、ess Training Explosion,Cybersecurity Ventures,February 6,2017.https:/ 9TH ANNUAL COST OF CYBERCRIME STUDYBENCHMARKING CYBERSECURITY INVESTMENTIn the backdrop of this challenging environment,our research reveals that cybercrime is increasing in size and complexity.Based on the trends identified in pr
38、evious publications,this may not come as a surprise.However,this year our report offers an additional perspectivea forward looking projection of the economic value at risk from future cyberattacks in the next five years.MORE ATTACKS AND HIGHER COSTSAs the number of cyberattacks increase,and take mor
39、e time to resolve,the cost of cybercrime continues to rise.In the last year,we have observed many stealthy,sophisticated and targeted cyberattacks against public and private sector organizations.Combined with the expanding threat landscape,organizations are seeing a steady rise in the number of secu
40、rity breachesfrom 130 in 2017 to 145 this year(see Figure 1).For purposes of this study,we define cyberattacks as malicious activity conducted against the organization through the IT infrastructure via the internal or external networks,or the Internet.+11%=67%Increase in the last yearIncrease in the
41、 last 5 yearsFIGURE 1 The increase in security breaches130145Average number of security breaches in 2017Average number of security breaches in 201810 9TH ANNUAL COST OF CYBERCRIME STUDYCyberattacks also include attacks against industrial control systems(ICS).A security breach is one that results in
42、the infiltration of a companys core networks or enterprise systems.It does not include the plethora of attacks stopped by a companys firewall defenses.The impact of these cyberattacks to organizations,industries and society is substantial.Alongside the growing number of security breaches,the total c
43、ost of cybercrime for each company increased from US$11.7 million in 2017 to a new high of US$13.0 milliona rise of 12 percent (see Figure 2).Our detailed analysis shows that Banking and Utilities industries continue to have the highest cost of cybercrime across our sample with an increase of 11 per
44、cent and 16 percent respectively.The Energy sector remained fairly flat over the year with a small increase of four percent,but the Health industry experienced a slight drop in cybercrime costs of eight percent(see Figure 3).THE CYBERCRIME EVOLUTION+12%=72%Increase in the last yearIncrease in the la
45、st 5 yearsFIGURE 2 The increase in the annual cost of cybercrime$11.7m$13.0mAverage cost of cybercrime in 2017Average cost of cybercrime in 201811 9TH ANNUAL COST OF CYBERCRIME STUDYBENCHMARKING CYBERSECURITY INVESTMENTFIGURE 3 The average annual cost of cybercrime by industryOur country analysis in
46、cluded Brazil,Canada,Singapore and Spain for the first time.For the other countries,the United States continues to top the list with the average annual cost of cybercrime increasing by 29 percent in 2018 to reach US$27.4 million.But the highest increase of 31 percent was experienced by organizations
47、 in the United Kingdom which grew to US$11.5 million,closely followed by Japan which increased by 30 percent in 2018 to reach US$13.6 million on average for each organization.The increase in Germany was considerably lower than 2017.German companies made significant 14161810126842UtilitiesBankingSoft
48、wareAutomotiveInsuranceHigh techCapital marketsEnergyUS FederalConsumer goodsHealthRetailLife sciencesCommunications and mediaTravelPublic sector18.3717.8416.0415.7815.7614.6913.9213.7713.7411.9111.8211.4310.919.218.157.9116.5515.1114.4610.7012.9312.9010.5613.2110.418.0912.869.045.877.554.616.5820$0
49、US$millionsLegend 2017 201812 9TH ANNUAL COST OF CYBERCRIME STUDYFIGURE 4 The average annual cost of cybercrime by countrytechnology investments in 2017possibly driven by preparations for the introduction of GDPRthus driving costs up at a higher rate than all other countries.This has now reverted to
50、 more historical levels of investment(see Figure 4).Our analysis of almost 1,000 cyberattacks highlighted malware as the most frequent attacks overall and,in many countries,the most expensive to resolve.People-based attacks show some of the largest increases over the year.The number of organizations