The fact is cybercrime is costly. Now, the 2015 Cost of Cyber Crime Study from HP Enterprise Security and the Ponemon Institute has revealed just how costly it really is to U.S. organizations. The average annual cost of cybercrime is a whopping $15 million. That’s about a 20 percent year-over-year increase -- and an 82 percent increase since HP and Ponemon started doing these studies six years ago.

The report also noted it takes, on average, 46 days to resolve a cyberattack. That percentage has increased by 30 points over the past six years. And the average cost to resolve a single attack is over $1.9 million.

“As organizations increasingly invest in new technologies like mobile, cloud, and the Internet of Things, the attack surface for more sophisticated adversaries continues to expand,” said Sue Barsamian, senior vice president and general manager, enterprise security products, HP, in a statement. “To address this challenging dynamic, we must first understand the threats that pose the most risk and then prioritize the security strategies that can make a difference in minimizing the impact.”

The Costliest Cybercrimes

Based on the study's findings, HP pointed to the need to shift security strategies from traditional network control and perimeter management to an advanced focus on protecting interactions among users, applications and data. Organizations are committing 20 percent of their security budgets to the application layer, up 33 percent in just two years, according to the study.

Denial of service, malicious insiders and malicious code lead to the most costly cybercrimes. These accounted for more than 50 percent of all cybercrime costs per organization on an annual basis, according to the study. HP also reported that malicious insider attacks can take longer to address, taking an average of approximately 63 days to contain.

Meanwhile, information theft is the highest external cost, followed by the costs associated with business disruption. Information theft accounted for 42 percent of total external costs annually, while costs associated with disruption to business or lost productivity accounted for 36 percent of external costs, up 4 percent from the six-year average.

On the other hand, the most costly internal activities were recovery and detection, which accounted for 55 percent of the total annual internal activity cost. Cash outlays and direct labor made up most of these costs.

The Right Solution

“With cyber attacks growing in both frequency and severity, understanding of the financial impact can help organizations determine the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in the statement. “As seen in this year’s study, the return on investment for organizations deploying security intelligence systems, such as SIEM, realized an average annual cost savings of nearly $4 million -- showcasing the ability to minimize impact by more efficiently detecting and containing cyber attacks.”

We asked Tim Erlin, director of IT security and risk strategy for advanced threat protection firm Tripwire, for his thoughts on the cybercrime report. He told us when these kinds of reports come out, the headlines are all about the escalating costs of a breach, but they should be about the mounting evidence that well-understood actions can materially decrease those costs.

“The probability that you will experience a breach is steadily increasing, and so the return on investment for an appropriate security budget and leadership has continuously become more favorable,” Erlin said. “There’s no doubt that avoiding a breach altogether is the best way to reduce its cost. Investing in tools that prevent, detect and shorten time to resolution is not only intuitively right, it’s proven out by reports like this one.”