US enterprises lose USD $48.1 billion to cyberattack delays

US enterprises have incurred collective cyber-related losses totalling USD $48.1 billion over the past five years due to a lack of clarity in cybersecurity investigations, according to new research from Binalyze. The study findings highlight that ineffective responses and repeated mistakes are compounding the financial and reputational impacts of cyber incidents.

Financial impact

Delayed responses to cyber incidents have significant financial consequences. The research indicates every hour spent before responding to a cyberattack costs enterprises USD $114,000. On average, organisations take 8.6 hours to deploy forensic investigation measures following a breach, equating to roughly USD $980,400 in costs incurred before meaningful action can be taken. With companies investigating on average nine cyberattacks each year, this results in nearly USD $9 million in unnecessary losses annually per enterprise.

Clarity gap

The study surveyed 200 US Chief Information Security Officers (CISOs). It found that only half of respondents are able to answer fundamental questions following an attack, such as whether attackers still have access, their method of entry, and what data-if any-may have been stolen. This clarity gap hampers the ability of organisations to contain breaches and effectively communicate with stakeholders and regulators.

Visibility remains an ongoing concern, with CISOs reporting they have oversight over just 57% of their IT environment at any given time. This lack of comprehensive visibility delays response efforts, increases exposure to regulatory penalties, and restricts the ability to remediate vulnerabilities before attackers capitalise on them.

Prevention versus response

Cyberattack prevention currently receives double the budget allocation compared to response initiatives, with enterprises spending an average USD $3.02 million on prevention efforts against USD $1.54 million on response. However, 84% of surveyed CISOs believe that a successful cyberattack is now inevitable. Despite this, many organisations remain underprepared when such incidents occur.

Further compounding the issue, 65% of CISOs admitted their organisations have not always learned the right lessons from previous cyberattacks. Meanwhile, 75% acknowledged there is no guarantee the same type of attack would not succeed again if repeated.

Post-incident consequences

The aftermath of cyber incidents continues to create difficulties for enterprises. Seventy per cent of organisations reported challenges in remediating or recovering from an attack within the past year. Regulatory repercussions are also commonplace, with 61% of enterprises experiencing punitive action by authorities due to breaches, and 56% being denied cyber insurance payouts as a result of insufficient evidence that required security controls were in place.

"With cyberattacks now inevitable, the real test for organisations is how fast they can respond and recover," said Lee Sult, Chief Investigator, Binalyze.

Speed and visibility

Eighty-eight per cent of CISOs surveyed believe faster investigation and response would significantly reduce breach-related costs. However, only 40% expressed confidence in their organisation's crisis management framework. The current average window until forensic investigation takes place not only amplifies financial losses but also hinders ongoing security improvements.

According to Sult, "The less an organisation understands an attack, the harder it is to recover, and the harder it is to learn any lessons."

"Yet CISOs claim to have visibility over only 57% of their organisation's IT environment at any one time. This lack of visibility not only slows recovery but risks non-compliance and regulatory penalties. Swift, forensic investigation shouldn't just be a post-mortem exercise. When deployed proactively, it becomes a weapon - a way to identify, disrupt, and deter threat actors before they strike," said Sult.