Cybercrime incidents continue to rise, and the cost of remediation for those incidents is also rising. A newly released report found organizations with about 2,500 employees in the US spend almost $1.9 million per year on cyber-security related costs.

The survey is based off of 900 security professionals, sponsored by Malwarebytes and conducted by Osterman Research.

According to the report cybersecurity-related costs fall into three basic areas:

  1. Budgeted costs for cybersecurity infrastructure and services, which include labor costs
  2. Off-budget costs associated with major events such as an organization-wide ransomware event
  3. Dealing with costs of insider security breaches

The survey also revealed that mid-market companies, those with 500 to 999 employees, struggle the most from a security perspective because they suffer a higher rate of attack than smaller companies and similar rates of attack to larger companies, but have less employees to distribute the cost of the security infrastructure to.

Most of the participants surveyed had revealed they suffered some sort of security breach in the year preceding the survey. The most common type of attack was phishing, but other types of attack included adware/spyware, ransomware, spear phishing, accidental and intentional data breaches, nation-state attack, and hacktivist attacks. Only 27 percent of the organizations responded saying there were no attacks in the previous year, that they knew of.

Malwarebytes also found that major attacks occurred with “alarming frequency.” A major attack is classified as “one that would cause significant disruption to an organization’s operations, such as a major ransomware attack that disrupted normal operations or completely shut down an organization’s computing infrastructure for a day more.”

According to the research, in 2017 companies on average suffered one major attack every 15 months, but in 2018 that number rose to one major attack every 6.7 months.

The survey also identified that a significant amount of security professionals are suspected of being “gray hats,” using their knowledge to become involved in cybercrime. According to the report, one in 22 security professionals are thought to be gray hats. “Mid-sized organizations (500 to 999 employees) are getting squeezed the hardest, and this is where the skills shortage, and the allure of becoming a gray hat, may be greatest,” they wrote in the report.