NINTH ANNUAL COST OF CYBERCRIME STUDY UNLOCKING THE VALUE OF IMPROVED CYBERSECURITY PROTECTION Independently conducted by Ponemon Institute LLC and jointly developed by Accenture THE COST OF CYBERCRIMECONTENTS Foreword 4 The Cybercrime Evolution 6 Nation-state, Supply Chain and Information Threats 6 New Risks from Innovation and Growth 8 Humans Are Still the Weakest Link 9 Benchmarking Cybersecurity Investment 10 More Attacks and Higher Costs 10 The Value at Risk from Cybercrime 14 Assessing Levels of Investment 15 Improving Cybersecurity Protection 17 Every Type of Attack Is More Expensive 17 The Impact of Cyberattacks Is Rising 18 Targeted Investments Tackle Cybercrime 21 Security Technologies Can Make a Difference 24 Unlocking Cybersecurity Value 27 Three Steps to Unlock Cybersecurity Value 27 About the Research 30 Frequently Asked Questions 30 Framework 32 Benchmarking 36 Sample 38 Limitations 41 Contact Us 44The ninth annual cost of cybercrime study helps to quantify the economic cost of cyberattacks by analyzing trends in malicious activities over time. By better understanding the impact associated with cybercrime, organizations can determine the right amount of investment in cybersecurity. Looking back at the costs of cybercrime to date is helpful but looking forward, so that business leaders know how to best target their funds and resources, is even more beneficial. This report does just that. By understanding where they can achieve value in their cybersecurity efforts, business leaders can minimize the consequencesand even preventfuture attacks. OUR STUDY HELPS ORGANIZATIONS TO ADDRESS ONE OF SECURITYS BURNING PLATFORMS. WE REVEAL HOW IMPROVING CYBERSECURITY PROTECTION CAN REDUCE THE COST OF CYBERCRIME AND OPEN UP NEW REVENUE OPPORTUNITIES TO UNLOCK ECONOMIC VALUE.FOREWORD Kelly Bissell Global Managing Director Accenture Security kelly.bissellaccenture Larry Ponemon Chairman and Founder Ponemon Institute researchponemon We are delighted to share with you this ninth edition of the Cost of Cybercrime study. Our extensive research includes in-depth interviews from more than 2,600 senior security professionals at 355 organizations. Inside, you will find insights that are relevant to security professionals and business leaders to help us all better protect our organizations. We believe these findings, together with our experience and recommendations, can help executives to innovate safely and grow with confidence. As industries evolve and disrupt the current environment, threats are dramatically expanding while becoming more complex. This requires more security innovation to protect company ecosystems. The subsequent cost to our organizations and economies is substantial and growing. My team and I are always on hand to discuss what the latest trends mean to your business. Read on to find out what it is taking to protect your organization today and how you can convert your cybersecurity strategy to achieve greater value for tomorrow. Once again, the Ponemon Institute is delighted to work with Accenture Security on this comprehensive Cost of Cybercrime Study. From a relatively modest start, we have now grown the scope of our research to include 11 countries and 16 industry sectors. We have extended our research timeline, too. This year, we have collaborated with Accenture to model the financial impact of cybercrime across these industries over the next five yearsto get a better understanding of how cybersecurity strategies can make a difference in the future. We feel sure that this report will be a useful guide as you attempt to navigate the cyber threatscape. We know that our work is being actively used today by prestigious organizations, such as the World Economic Forum and the United States Government, to help shape defenses. The Ponemon Institute is proud to team with Accenture to produce these research findings. We believe this report not only illustrates our joint commitment to keeping you informed about the nature and extent of cyberattacks, but also offers you practical advice to improve your cybersecurity efforts going forward. 4 > 9TH ANNUAL COST OF CYBERCRIME STUDYFEW ORGANIZATIONS WOULD RESIST THE CHANCE TO REDUCE THEIR OVERALL COST OF CYBERCRIME. WHAT IF THEY COULD ALSO OPEN UP NEW REVENUE OPPORTUNITIES AT THE SAME TIME? Our 2019 Cost of Cybercrime study, now in its ninth year, offers that enticing prospect. In this report we show how better protection from people-based attacks, placing a priority on limiting information loss, and adopting breakthrough security technologies can help to make a difference.THE CYBERCRIME EVOLUTION The 2019 Cost of Cybercrime study combines research across 11 countries in 16 industries. We interviewed 2,647 senior leaders from 355 companies and drew on the experience and expertise of Accenture Security to examine the economic impact of cyberattacks. In an ever-changing digital landscape, it is vital to keep pace with the trends in cyber threats. We found that cyberattacks are changing due to: Evolving targets: Information theft is the most expensive and fastest rising consequence of cybercrimebut data is not the only target. Core systems, such as industrial control systems, are being hacked in a powerful move to disrupt and destroy. Evolving impact: While data remains a target, theft is not always the outcome. A new wave of cyberattacks sees data no longer simply being copied but being destroyedor changedwhich breeds distrust. Attacking data integrity is the next frontier. Evolving techniques: Cybercriminals are adapting their attack methods. They are using the human layerthe weakest linkas a path to attacks, through increased phishing and malicious insiders. Other techniques, such as those employed by nation-state attacks to target commercial businesses, are changing the nature of recovery, with insurance companies trying to classify cyberattacks as an “act of war” issue. Lets take a closer look at the challenges we face as cybercrime evolves: NATION-STATE, SUPPL Y CHAIN, AND INFORMATION THREATS Organizations of all sizes, geographic locations and industries globally have been plagued by the financial, reputational and regulatory 6 > 9TH ANNUAL COST OF CYBERCRIME STUDYconsequences of cybercrime. In the last year, we saw a significant rise in economic espionage, such as the theft of high-value intellectual property by nation-states. In the Accenture 2018 Threatscape Report 1we highlighted the emergence of nation-state activity, such as Iran-based threat actors. Iranian threat groups associated with the regime are likely to continue to grow their malicious activities and capabilities in the foreseeable future. The increased repurposing of popular malware by Iranian-based threat actors could lead to the use of ransomware for destructive purposes by state-sponsored organizations. Extended supply chain threats are also challenging organizations broader business ecosystem. Cyberattackers have slowly shifted their attack patterns to exploit third- and fourth-party supply chain partner environments to gain entry to target systemsincluding industries with mature cybersecurity standards, frameworks, and regulations. New regulations aim to hold organizations and their executives more accountable in the protection of information assets and IT infrastructure. The General Data Protection Regulation (GDPR) came into force on May 25, 2018 with potential fines up to US$23 million (20 million) or four percent of annual global revenues. The French data regulator (CNIL) issued the largest Information theft is the most expensive and fastest rising consequence of cybercrime. THE CYBERCRIME EVOLUTION 1. Cyber Threatscape Report 2018, Midyear Cybersecurity Review, Accenture. accenture/us-en/insights/security/cyber-threatscape-report-2018 7 > 9TH ANNUAL COST OF CYBERCRIME STUDYTHE CYBERCRIME EVOLUTION GDPR fine so farUS$57 million (50 million). Similar regulations, such as the California Consumer Privacy Act (CCPA), impose smaller fines (US$7,500 per violation) but highlight the increasing regulatory risks for businesses globally. NEW RISKS FROM INNOVATION AND GROWTH According to the Accenture report “Securing the Digital Economy,” 2businesses have never been more dependent on the digital economy and the Internet for growth. Fewer than one in four companies relied on the Internet for their business operations 10 years ago; now, it is 100 percent. A trustworthy digital economy is critical to their organizations future growth according to 90 percent of business leadersbut the drive for digital innovation is introducing new risks. While Internet dependency and the digital economy are flourishing, 68 percent of business leaders said their cybersecurity risks are also increasing. Almost 80 percent of organizations are introducing digitally fueled innovation faster than their ability to secure it against cyberattackers. No wonder, then, that cyberattacks and data fraud or theft are now two of the top five risks CEOs are most likely to face according to the latest World Economic Forum report on global risks. 3 Training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets. 2. Securing the digital economy, Accenture. accenture/us-en/ insights/cybersecurity/reinventing-the-internet-digital-economy 3. WEF Global Risks Report 2019. 3.weforum/docs/WEF_Global_Risks_Report_2019.pdf 8 > 9TH ANNUAL COST OF CYBERCRIME STUDYHUMANS ARE STILL THE WEAKEST LINK Whether by accident or intent, many employees are often the root cause of successful cyberattacks. Executives polled in the Accenture 2018 State of Cyber Resilience survey identified the accidental publication of confidential information by employees and insider attacks as having the greatest impact, second only to hacker attacks in successfully breaching their organizations. 4 Today, the security function is largely centralized and its staff are rarely included when new products, services, and processesall of which involve some sort of cyber riskare being developed. Such a siloed approach can result in a lack of accountability across the organization and a sense that security is not everyones responsibility. Only 16 percent of CISOs said employees in their organizations are held accountable for cybersecurity today. Providing ongoing training and skill reinforcementfor instance, with phishing testsis essential, alongside training and education. Employees need the tools and incentives to help them to define and address risks. New work arrangementsgreater use of contractors and remote workmake the need for employee training more urgent. Even so, training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets. 5 To embed cybersecurity into the fabric of the organization and be effective against any insider threats, organizations must bring together human resources, learning and development, legal and IT teams to work closely with the security office and business units. THE CYBERCRIME EVOLUTION 4. 2018 State of Cyber Resilience, Accenture. accenture/in-en/insights/ security/2018-state-of-cyber-resilience-index 5. Security Awareness Training Explosion, Cybersecurity Ventures, February 6, 2017. cybersecurityventures/security-awareness-training-report/ 9 > 9TH ANNUAL COST OF CYBERCRIME STUDYBENCHMARKING CYBERSECURITY INVESTMENT In the backdrop of this challenging environment, our research reveals that cybercrime is increasing in size and complexity. Based on the trends identified in previous publications, this may not come as a surprise. However, this year our report offers an additional perspectivea forward looking projection of the economic value at risk from future cyberattacks in the next five years. MORE ATTACKS AND HIGHER COSTS As the number of cyberattacks increase, and take more time to resolve, the cost of cybercrime continues to rise. In the last year, we have observed many stealthy, sophisticated and targeted cyberattacks against public and private sector organizations. Combined with the expanding threat landscape, organizations are seeing a steady rise in the number of security breachesfrom 130 in 2017 to 145 this year (see Figure 1). For purposes of this study, we define cyberattacks as malicious activity conducted against the organization through the IT infrastructure via the internal or external networks, or the Internet. +11% =67% Increase in the last year Increase in the last 5 years FIGURE 1 The increase in security breaches 130 145 Average number of security breaches in 2017 Average number of security breaches in 2018 10 > 9TH ANNUAL COST OF CYBERCRIME STUDYCyberattacks also include attacks against industrial control systems (ICS). A security breach is one that results in the infiltration of a companys core networks or enterprise systems. It does not include the plethora of attacks stopped by a companys firewall defenses. The impact of these cyberattacks to organizations, industries and society is substantial. Alongside the growing number of security breaches, the total cost of cybercrime for each company increased from US$11.7 million in 2017 to a new high of US$13.0 milliona rise of 12 percent (see Figure 2). Our detailed analysis shows that Banking and Utilities industries continue to have the highest cost of cybercrime across our sample with an increase of 11 percent and 16 percent respectively. The Energy sector remained fairly flat over the year with a small increase of four percent, but the Health industry experienced a slight drop in cybercrime costs of eight percent (see Figure 3). THE CYBERCRIME EVOLUTION +12% =72% Increase in the last year Increase in the last 5 years FIGURE 2 The increase in the annual cost of cybercrime $ 11.7m $ 13.0m Average cost of cybercrime in 2017 Average cost of cybercrime in 2018 11 > 9TH ANNUAL COST OF CYBERCRIME STUDY