UNLOCKING THE VALUE OF IMPROVED CYBERSECURITY PROTECTION NINTH ANNUAL COST OF CYBERCRIME STUDY IN FRANCE
UNLOCKING THE VALUE OF IMPROVEDCYBERSECURITY PROTECTIONNINTH ANNUAL COST OF CYBERCRIME STUDY IN FRANCE
• The average cost of cybercrime for an organization increased US$1.4M to US$13.0M.• Phishing and social engineering (+16%), ransomware (+15%), and stolen devices (+15%)—
largely people-based attacks—show the biggest increases.• Information theft is the most expensive consequence of cybercrime and companies spend
most on discovery activities.
Organizations spend more than ever to deal with the costs and consequences of more sophisticated attacks.
• The threat landscape continues to expand with an increase in nation-state espionage, supply chain and critical infrastructure threats.
• In the drive for growth and innovation, 79% of business leaders say new business modelsintroduce technology vulnerabilities faster than they can be secured.
• The average number of security breaches in the last year grew by 11% from 130 to 145.
The expanding threat landscape and new business innovation is leading to an increase in cyberattacks.
• Place greater emphasis on protecting people to combat the rise in attacks against them.• Prioritize technologies to limit information loss and business disruption which are the
largest consequences of cybercrime and a growing concern with new privacy regulation like GDPR and CCPA.
• Use automation (including AI and machine learning) and advanced analytics to manage the rising cost of discovering attacks. the largest component of spend.
Prioritize technologies that reduce the consequences of cybercrime to unlock future economic value.
• Improving cybersecurity protection can reduce the cost of cybercrime and provide additional revenue opportunities. A total of $US5.2 trillion over the next five years.
• This translates into additional revenue of 2.8 percent—or an average of $US580M annually—in each of the next five years for an average G2000 company.
• This provides a useful benchmark to measure investments in cybersecurity protection.
What is the economic value of improving cybersecurity protection worth to an organization?
THE GLOBAL STORY IN BRIEF
Copyright © 2018 Accenture. All rights reserved. 2
ABOUT THE RESEARCH
Copyright © 2019 Accenture. All rights reserved. 3
11 USUnited KingdomJapanGermanyFrance
BrazilCanadaAustraliaSpainItalySingapore
EXAMINING THE ECONOMIC IMPACT OF CYBER ATTACKS
355Companies
2,647Jointly developed by:
Countries
TravelComm & MediaLife sciencesRetailHealthConsumer GoodsPublic Sector
US FederalEnergyCapital MarketsHigh TechInsuranceAutomotiveSoftwareUtilitiesBanking
Annual research study
9th
16Industries Interviews
What types of cyberattacks and security breaches are included in this research? We define cyberattacks as malicious activity conducted against the organization through the IT infrastructure via the internal or external networks or the Internet. Cyberattacks also include attacks against industrial control systems (ICS). A security breach is one that results in the infiltrationof a company’s core networks or enterprise systems. It does not include the plethora of attacks stopped by a company’s firewall defenses.
DEFINING CYBERATTACKS AND SECURITY BREACHES
Copyright © 2019 Accenture. All rights reserved. 4
WITH AN EXPANDED THREAT LANDSCAPE AND NEW DIGITAL VULNERABILITIES, THE NUMBER OF SECURITY BREACHES INCREASED IN THE LAST YEAR
Copyright © 2019 Accenture. All rights reserved. 5
Average number of security breaches in 2017 in
France +14%Average number of
security breaches in 2018 in France
69 Increase in one year 80* 31 French companies, 248
interviews
THE LARGEST INCREASES COME FROM THE NUMBER OF ORGANIZATIONS EXPERIENCING PEOPLE-BASED ATTACKS
Copyright © 2019 Accenture Security. All rights reserved. 6
Types of cyberattacks experienced by French companies(% increase 2017–2018)
Phishing (+12%) and Ransomware (+20%)
46%
46%
66%
61%
72%
65%
86%
84%
78%
46%
26%
65%
55%
63%
57%
76%
76%
79%
Malicious insider (+0%)
Ransomware (+20%)
Stolen devices (+1%)
Denial of service (+6%)
Malicious code (+9%)
Botnets (+8%)
Web-based attacks (+10%)
Phishing and social engineering (+8%)
Malware (-1%)
2017 2018
INDIVIDUAL INCIDENTS ARE BECOMING MORE EXPENSIVE TO RESOLVE
Copyright © 2019 Accenture Security. All rights reserved. 7
Types of cyberattacks experienced by French companiesUS$ (% increase 2017–2018)
Malicious Insiders increased (+10%), Malicious Code (+25%) and Ransomware an alarming ( +76%)
$995
$5 880
$29 593
$79 544
$62 184
$101 400
$124 852
$126 325
$191 700
$963
$6 159
$33 785
$71 609
$35 316
$99 136
$110 510
$100 743
$174 703
Botnets (+3%)
Malware (-5%)
Stolen devices (-12%)
Web-based attacks (+11%)
Ransomware (+76%)
Phishing and social engineering (+2%)
Denial of service (+13%)
Malicious code (+25%)
Malicious insider (+10%)
2017 2018
Length of time taken to resolve cyberattacks for French CompaniesDays (% increase 2017–2018)
Malicious code attacks shows the most significant increase in the number of days taken to resolve (+16%).
MANY ATTACK TYPES ARE TAKING MORE TIME TO RESOLVE
8Copyright © 2019 Accenture Security. All rights reserved.
2,4
6,5
18,8
23,0
21,4
32,3
26,2
55,4
63,7
2,3
5,9
17,9
22,1
26,3
35,1
25,6
47,6
70,0
Botnets (+3%)
Malware (+10%)
Stolen devices (+5%)
Denial of service (+4%)
Web-based attacks (-19%)
Phishing and social engineering (-8%)
Ransomware (+2%)
Malicious code (+16%)
Malicious insider(-9%)
2017 2018
Organizations were asked to report their spend(costs) to discover, investigate, contain and recover from cyberattacks over four consecutive weeks. Also covered are the expenditures that result in after-the-fact activities and efforts to reduce business disruption and the loss of customers.These costs do not include outlays and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.Once compiled and validated, these costs were then grossed-up to determine the annualized cost.
CALCULATING THE COST OF CYBERCRIME
Copyright © 2019 Accenture. All rights reserved. 9
$7,6 $7,7
$9,5
$11,7
$13,0
$-
$2,0
$4,0
$6,0
$8,0
$10,0
$12,0
$14,0
2014 2015 2016 2017 2018
Tota
l ave
rage
cos
t of c
yber
crim
e (U
S$ M
)
Copyright © 2019 Accenture Security. All rights reserved. 10
THE AVERAGE COST OF CYBERCRIME FOR AN ORGANIZATION INCREASED BY 12 PERCENT OVER THE YEAR TO US$13.0 MILLION
+2%
+23%
+23%
The GLOBAL average cost of cybercrime for companies in studyUS$
The increase over the last five years is 72%, or US$ 5.5 million, on average for companies in our study.
+12%
Copyright © 2019 Accenture Security. All rights reserved. 11
THE COST OF CYBERCRIME IS INCREASING IN ALL COUNTRIES Change in cybercrime cost by countryUS$ millions(% increase 2017–2018)
The average increase in cybercrime costs for the countries in our sample is +26%. The United Kingdom (31%), Japan (31%) and United States (29%) have the largest increases followed by Australia (+26%).
The increase for Germany (18%) is less than half the increase in 2017 (42%).
$6,79
$7,24
$8,01
$8,16
$9,25
$9,32
$9,72
$11,46
$13,12
$13,57
$27,37
$5,41
$6,73
$7,90
$8,74
$11,15
$10,45
$21,22
- $5M $10M $15M $20M $25M $30M
Australia (+26%)
Brazil*
Italy (+19%)
Spain*
Canada*
Singapore*
France (+23%)
United Kingdom(+31%)
Germany (+18%)
Japan (+30%)
United States (+29%)
2017 2018Cost ($US Millions)
Copyright © 2019 Accenture Security. All rights reserved. 12
BANKING AND UTILITIES CONTINUE TO HAVE THE LARGEST COST OF CYBERCRIME BY INDUSTRYAverage annualized cost by industry sectorUS$ (million)
Average cost of cybercrime= US$13.0 million
$7,91
$8,15
$9,21
$10,91
$11,43
$11,82
$11,91
$13,74
$13,77
$13,92
$14,69
$15,76
$15,78
$16,04
$17,84
$18,37
$6,58
$4,61
$7,55
$5,87
$9,04
$12,86
$8,09
$10,41
$13,21
$10,56
$12,90
$12,93
$10,70
$14,46
$15,11
$16,55
- $2M $4M $6M $8M $10M $12M $14M $16M $18M $20M
Public sector
Travel
Communications & media
Life sciences
Retail
Health
Consumer goods
US federal
Energy
Capital markets
High Tech
Insurance
Automotive
Software
Utilities
Banking
2017 2018Cost ($US Millions)
What is the economic valueof improving cybersecurity protection worth to an organization?
THE VALUE OF CYBERSECURITY
0
2
4
6
8
10
12
14
16
18
The cost of cybercrime The value of cybersecurity
$US
mill
ion
New revenueopportunity
Savings in the cost ofcybercrime
The cost of cybercrime
Copyright © 2019 Accenture Security. All rights reserved. 14
HOW MUCH IS IMPROVED CYBERSECURITY PROTECTION WORTH TO A BUSINESS?There is a positive correlation between size and cost. The bigger the organization the bigger the cost burden on them.
But can improved cybersecurity protection create more economicvalue for businesses?
Economic value includes savings in the cost of cybercrime plus new revenue opportunity.
The economic value of improvedcybersecurityprotection
Econometric modelling
Historical analysis
THE COST OF CYBERCRIME THE VALUE OF CYBERSECURITY
2014–2018 2019–2023
23%
77%
Value at risk: 2019–2023(Value at Risk* due to direct and indirect attacks, Cumulative 2019–2023, US$t)
* Expected loss of savings in cybersecurity spend and revenue opportunity over the next 5 years. Calculations over a sample of 4,700 global public companies.
$5.2t
Direct Attacks
Indirect Attacks
Copyright © 2019 Accenture Security. All rights reserved. 15
Value at risk by industry (US$Bn)
Source: Accenture Research
Value at risk by country (US$Bn)
47
70
110
147
209
219
223
257
283
305
340
347
347
385
505
642
753
Capital MarketsTravel
TransportationChemicals
EnergyUtilities
Nat. Res.Comms & Media
Ind. Equip.Insurance
RetailHealth
BankingCG&S
AutomativeLife Sciences
High Tech
97
100
133
133
137
172
216
347
532
1700 t
AustraliaSpain
CanadaBrazil
ItalyFrance
United KingdomGermany
JapanUnited States
THE ECONOMIC VALUE AT RISK DUE TO CYBERATTACKS OVER THE NEXT FIVE YEARS IS $5.2 TRILLION GLOBALLY
Copyright © 2019 Accenture Security. All rights reserved. 16
THE ECONOMIC VALUE AT RISK PROVIDESA USEFUL BENCHMARK FOR SECURITY INVESTMENTSAverage annualized cost by industry sectorUS$ (million)
The average G2000 company revenue in 2018 was US$20 billion.
Life sciences and high tech companies have the highest revenue at risk.
Capital markets and industrial equipment companies have the lowest revenue at risk.
IndustryRevenue at Risk
(CAGR 2019 –2023)
Global=2.8%
2018 Average G2000 Revenue
(USD$ M)
Average annual revenue opportunity
at risk 2019–2023 (US$ M)
2019 –2023 Cumulative revenue
opportunity at risk (USD$ M)
Automotive 3.1% $20,000 $770 $3,851
Banking 2.4% $20,000 $570 $2,848
CG&S 3.4% $20,000 $738 $3,689
Capital Markets 1.5% $20,000 $365 $1,826
Chemicals 2.7% $20,000 $572 $2,859
Comms & Media 2.0% $20,000 $456 $2,282
High Tech 4.5% $20,000 $1,056 $5,278
Energy 2.1% $20,000 $352 $1,762
Health 3.7% $20,000 $1,156 $5,779
Industrial Equipment 1.5% $20,000 $368 $1,841
Insurance 3.9% $20,000 $949 $4,743
Life Sciences 5.6% $20,000 $1,475 $7,375
Natural Resources 2.6% $20,000 $541 $2,703
Retail 1.5% $20,000 $339 $1,695
Transportation 1.6% $20,000 $343 $1,715
Travel 1.5% $20,000 $378 $1,891
Utilities 2.9% $20,000 $579 $2,895
Prioritize technologies that reduce the costs and consequences of cybercrime to unlock future economic value.
THE VALUE OF CYBERSECURITY
Percentage cost by consequence for French Companies
Information loss is a worrying trend with new regulation like GDPR and CCPA to consider.
18
INFORMATION LOSS REMAINS THE MOST EXPENSIVE CONSEQUENCE OF A CYBERCRIME
Copyright © 2019 Accenture Security. All rights reserved.
34%
39%
21%
4%2%
32%
41%
21%
5%
1%
Business disruption Information loss Revenue loss Equipment damages Other
FY 2017 FY 2018
Percentage cost by internal activities for French Companies
Discovery and recovery spend highlight a significant cost-reduction opportunity for organizations that are able to systematically deploy enabling security technologies to help facilitate the discovery-to-recovery cycle.
19
COMPANIES SPEND THE MOST ON RECOVERY AND THE LEAST ON INVESTIGATION ACTIVITIES
Copyright © 2019 Accenture Security. All rights reserved.
29%
23%
19%
29%
25%
17%
23%
34%
Discovery Investigation Containment Recovery
FY 2017 FY 2018
The proportion of French companies who deploy nine enabling security technologies
The deployment of Automation, AI and machine learning as well as cyber and user behavior analytics remains stubbornly low.
20
PERIMETER CONTROLS ARE FULLY DEPLOYED BY MORE COMPANIES THAN ANY OTHER SECURITY TECHNOLOGY
Copyright © 2019 Accenture Security. All rights reserved.
70%
68%
62%
57%
48%
37%
37%
33%
23%
Advanced perimeter controls
Extensive use of cryptographic technologies
Advanced identity and access governance
Security intelligence and threat sharing
Extensive use of data loss prevention
Enterprise deployment of GRC
Automation, AI and machine learning
Extensive use of cyber analytics and UBA
Automated policy management
Cost savings when deploying enabling technologies for French CompaniesUS$
While not widely used as yet, automation (with AI and machine learning) and extensive use of cyber analytics can provide significant cost savings on average.
Copyright © 2019 Accenture Security. All rights reserved. 21
SECURITY INTELLIGENCE AND THREAT SHARING DELIVER THE LARGEST COST SAVINGS WHEN FULLY DEPLOYED
Rank9
8
7
6
5
4
3
2
1
$2 150 000
$2 060 000
$1 770 000
$1 590 000
$1 300 000
$1 090 000
$890 000
$760 000
$490 000
Security intelligence and threat sharing
Automation, AI and machine learning
Extensive use of cryptographic technologies
Extensive use of cyber analytics and UBA
Advanced identity and access governance
Advanced perimeter controls
Enterprise deployment of GRC
Extensive use of data loss prevention
Automated policy management
PRIORITIZE BREAKTHROUGH INNOVATIONS LIKE AI AUTOMATION AND ANALYTICS
Copyright © 2019 Accenture Security. All rights reserved. 22
Place greater emphasis on protecting people due to the rise in phishing, ransomware and malicious insider attacks
Invest to prevent information loss and business disruption which are growing concerns with new privacy regulation like GDPR and CCPA.
Use automation and advanced analytics to manage the rising cost to discover attacks which is the largest component of spend.
1
2
3
55 daysThe time to resolve denial of service attacks increased by 16 percent
41% of cost Information loss remains the most expensive consequenceof cybercrime
57% of spend Incident discovery and recovery are the largest elements of internal spend
ORGANIZATIONS NEED TO: