Cyber attacks cost U.S. enterprises $1.3 million on average in 2017

IT security budgets, as well the costs of data breaches, are up for North American enterprises and SMBs.

Cyber attacks cost U.S. enterprises $1.3 million on average in 2017
U.S. Army illustration

In 2017, the average cost of a data breach in North America is $1.3 million for enterprises and $117,000 for small and medium-sized businesses (SMBs), according to a report from Kaspersky Lab. Kaspersky — gasp!

(Updated to change 117 million to 117K)

Yeah, yeah, the Department of Homeland Security (DHS) issued a directive on Sept. 13 banning the use of Kaspersky Lab software at federal agencies. Banned software included Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Small Office Security, Kaspersky Anti Targeted Attack, Kaspersky Endpoint Security, Kaspersky Cloud Security (Enterprise), Kaspersky Cybersecurity Services, Kaspersky Private Security Network and Kaspersky Embedded Systems Security.

The move by DHS was followed by the U.S. Senate passing an amendment attached to the National Defense Authorization Act (NDAA) on Sept. 18. That also banned Kaspersky software across the federal government. Best Buy and Office Depot have also stopped selling the software.

When you drill down into the issue, though, it seems the only “sin” Kaspersky has committed is that it is a Russian company. The rest seems like geo-politics, worries about “ties” between Kaspersky and the Russian government and intelligence agencies. Every potential scenario that has been laid out seems like nothing more than conjecture and Cold War tactics; show the proof or shut up. Oh wait, the powers that be didn't think they had to — despite all that official banning, no actual proof was shown.

Unless real proof is shown, then news coming out of Kaspersky Lab is still good to me. For years, Kaspersky has been exposing cyber attacks — and the attackers — to the world. Until very recently, Kaspersky Lab software was popular in federal agencies, enterprises, small businesses and homes. So, yes, the company did have a good perspective to see IT security economics even though the data for this report was compiled from a survey of more than 5,000 businesses across 30 countries.

The cost of cyber attacks

Now, back to Kaspersky Lab’s news about the average cost of a data breach. Globally, the cost of a data breach for enterprises has risen 11 percent in 2017. In the U.S., the average cost of a cyber attack for enterprises grew from $1.2 million in 2016 to $1.3 million in 2017. That’s 10 times higher than the $117K cost of a breach for SMBs.

Overall, businesses are looking at IT security as more of an investment in 2017. In fact, IT security budgets are up, reaching 18 percent for enterprises compared to 16 percent in 2016. Even small businesses with fewer resources are investing more in IT security budgets this year — 14 percent compared to 13 percent in 2016.

In North America, the Kaspersky Lab study found that the following incidents have the most severe financial impact in 2017:

Financial impact on enterprises

  1. Physical loss of devices or media containing data ($2.8 million)
  2. Incidents affecting IT infrastructure hosted by a third party ($2.2 million)
  3. Electronic leakage of data ($1.9 million)
  4. Inappropriate IT resource use by employees ($1.1 million)
  5. Viruses and malware ($519,000)

Financial impact on SMBs

  1. Targeted attacks ($188,000)
  2. Incidents involving non-computing connected devices ($152,000)
  3. Physical loss of devices or media containing data ($83,000)
  4. Inappropriate IT resource use by employees ($79,000)
  5. Viruses and malware ($68,000)

The top “pain points” with the largest average costs after a breach for enterprises include $207,000 for internal staff wages, $172,000 for improved software/infrastructure, and $153,000 spent on cybersecurity training.

The top pain points for SMBs in 2017 include $21,000 in lost business and another $21,000 in costs related to employing external professionals.

When a third party is breached, that security failure is one of the most damaging to enterprises.

The Internet of Things (IoT) can be another extremely damaging security failure, given the widespread use of factory default passwords that allow IoT devices to become hosts for botnets.

Highest IT security budgets

Organizations involved in government, including defense, and financial institutions reported having the highest IT security budgets — over $5 million. IT and telecom companies, as well as utilities and power companies, spend about $3 million on IT security budgets.

However, as Kaspersky Lab noted, when it comes what is spent on IT security “per head,” government organizations spend $959 per head, while IT and telecoms spend $1,258 per head, utilities companies spend $1,344 per head, and financial firms spend $1,436 per head.

Lowest IT security budgets

Industrial firms, which rely on industrial control systems (ICS) infrastructure, have some of the lowest IT security budgets at $748,000 even though attacks on ICS infrastructure are up 5 percent in 2017.

How companies spend their IT security budgets

After businesses increase IT security budgets, 39 percent goes toward protecting increasingly complex IT infrastructure. Improving the level of specialist security experts is another important expenditure, up to 32 percent in 2017 compared to 29 percent in 2016.

The cost of consultant advice is also up, with businesses using 11 percent of their security budgets in 2017, up 1 percent from last year. There was a significant drop in increasing security budgets for new business activities or expansions, with spending dropping from 45 percent in 2016 to 28 percent in 2017.

For more information, you can download a copy of Kaspersky’s report, IT Security: Cost Center or Strategic Investment? (Registration required.) You can also tap into IT security strategies by checking out a new tool, Kaspersky IT Security Calculator.

New! Download the State of Cybercrime 2017 report