Breaking News Emails
These days, cyberattacks on major American companies make headlines almost daily. But how much do these hacks hurt? U.S. firms now shell out an average of $15 million apiece on cybercrime each year, according to a new study.
Research firm the Ponemon Institute published its annual "Cost of Cyber Crime" study Tuesday morning, and this year's report polled 58 U.S.-based companies about their security-related spending. The U.S. average of $15 million per year is one-fifth higher than last year, and it represents an 82 percent jump since Ponemon started issuing the report in 2010.
It's a sobering financial increase that reflects the growing number of sophisticated cyberattacks. But it also shows American firms are taking cyber threats seriously, Larry Ponemon, the founder of the Institute, told NBC News in an interview.
"Some countries assume everything is under control, or they'd rather have their heads in the sand," Larry Ponemon, the founder of the Institute, told NBC News. "In the U.S., executives are realizing they need more C-suite involvement in security."
"It used to be, 'That’s the security guy. We don’t really know what he or she does,'" Ponemon added. "Now executives are proactively asking, 'What are we doing about security?"
How much a company will, or can, do varies based on its sector and size. That $15 million annualized U.S. average Ponemon reported represents a massive range: $1.9 million to $65 million each year among the 58 companies polled.
And it's easier for a national big-box retailer chain with a dedicated security team to deal with the fallout than for a mom-and-pop shop. Large firms spend an average of $667 per employee on cybercrime on an annualized basis, while the smaller guys shell out a whopping $1,571.
It now takes a company about 46 days from the date of discovery to resolve a cyberattack, according to the study, which was funded by Hewlett-Packard's security arm.
"Attackers are becoming increasingly sophisticated, so the days of being able to conduct the forensics quietly are long gone," Andrzej Kawalec, HP's CTO for enterprise security services. "Now it has to be done in the public eye, across jurisdictions. It's a PR response as much as a technical response."
Two big U.S. companies felt that pain just last week. On Friday, online discount broker Scottrade said it is notifying 4.6 million customers about a data breach that lasted from late 2013 to early 2014 and targeted client names and addresses.
That revelation came one day day after credit reporting agency Experian announced that a data breach exposed private personal data of 15 million people who applied for T-Mobile wireless services.
The pair of breaches were disclosed the first two days of October, which is National Cyber Security Awareness Month -- a collaborative effort by government and industry to inform Americans about ways to stay secure online.