The cost of cybersecurity solutions vs. the cost of cyber attacks

When we talk about cybersecurity, having clear goals and objectives in place is key in determining the success of the tools, processes, and management techniques used to combat threat actors. With the right cybersecurity solutions in place, your organization may be able to detect and respond to an incident, or even prevent a cyber attack before it takes place, but let’s not forget, in today’s continually evolving threat landscape there is no such thing as 100% security.

This applies to both the digital and the physical world, as well as for small and large organizations alike. With enough time and resources, threat actors are likely to be able to find a vulnerability in any system, and recent data breaches of numerous large organizations proves just that.

So, what is the average cost of implementing cybersecurity solutions versus the cost of suffering from a cyber attack? There are likely to be many answers to this, but here is my take on this question based on recent third-party findings.

Small to medium businesses

Small to medium-sized businesses (SMBs) nowadays are aware of the need to secure their data, systems and assets, but often have doubts when presented with costly solutions. A recent article published by infosecurity magazine concluded that for small businesses to implement effective cybersecurity measures, it would cost considerably more as a percentage of operational budget than it would for larger organizations - up to around 4% compared with 1-2% for enterprises.

Unfortunately, some SMBs still hold the mindset that hackers are solely focused on targeting the bigger enterprise players, such as large well-known brands, and therefore believe their organizations are just too small for such a robust investment. But, the reality is quite different. According to recent research conducted by Hiscox, the proportion of UK SMB businesses that reported a cyber attack has jumped from 40% to 55% in the last year, while at the same time more organizations admitted that they aren’t fully prepared for a security breach. Regarding this increase in the reported number of cyber attacks, we probably also need to take into consideration if all cyber attacks were previously reported, or if they were kept under the radar for example, and the introduction of GDPR in Europe last year may now play a factor in this increasing reported figure.

Regardless of this, hackers may have found their sweet spot - small and medium sized businesses. They consider these even more attractive than ever before due to the presumption that they may lack a comprehensive cybersecurity defense.

The impact to SMBs

Security breaches can wipe out entire businesses. However, It’s important to realize here that figures and damage may vary hugely. Moreover, an organization’s costs for remediation can soar much higher, especially in highly regulated industries such as healthcare or finance. According to the findings from Hiscox, the average cost of a security breach affecting small to medium businesses increased by 61% from $229k in 2018 to $369k in 2019, while a recent “Cost of a Data Breach” survey conducted by Ponemon Institute detailed how the healthcare industry faced the highest cost per record data breach cost, at $408 per compromised record; that’s nearly three times the average of $148.

But, it’s not only costs for remediation, small to medium sized organizations are likely to also face many other indirect costs, some of which include, but are not limited to:

• Civil lawsuits from customers and/or business partners

• Fines for compliance violations

• Customer refunds and incentives

• Lost sales and business opportunities

• Insurance premiums

These costs could become even higher if the organization must halt its day to day operations after an attack and in the aftermath of a cyber attack, companies are still faced with costs for rent, utilities, operational costs, insurance and others. This might be difficult to cover if incoming revenue is affected and overall can often lead to smaller sized companies going out of business altogether.

Large enterprises

According to a second report conducted by Ponemon Institute focused around Enterprises, the most expensive type of cyber attack was due to malware, at an average cost of $2.6m per company, up 11% from the previous year. Web-based attacks and denial of service attacks also ranked highly, coming in at the second and third most costly, but the highest growth at 15%, was related to malicious insider attacks, indicating that internal factors also pose a risk.

For enterprises, the consequences of a security breach can be a lot more costly, again GDPR will have a potentially huge impact, (with organizations facing a fine of up to 20 million Euros or 4% of annual turnover, whichever is higher), not to mention being subjected to higher amounts of publicity. But due to their pure size and scale, enterprises also tend to face many more challenges when it comes to implementing successful cybersecurity solutions.

The root cause

Whether the enterprise is suffering from a lack of skilled cybersecurity workforce, an increasing number of security alerts, a growing number of regulations to adhere, to name just a few, they firstly need to ensure they have a well-rounded security strategy and program in place that is embedded into everything they do. Unfortunately, many enterprises are still treating security as an afterthought and it is therefore implemented with much less success than is necessary to protect their business interests.

Effectiveness and efficiency plays a critical role and with so many tools and technologies to choose from where should you start. Firstly there is little or no point for an organization deploying a variety of tools if they do not have the tactics, techniques and procedures in place to manage them to their fullest potential. Many enterprises today still work in silos (e.g. per department) which results in a lack of understanding of the enterprise’s overall infrastructure, leading to poor orchestration and accountability when it comes to an incident. A fuller, holistic view of their environment is needed, where tools can work seamlessly together to provide full visibility, business engagement and stakeholder accountability.

Many enterprises are turning to solutions like Security Orchestration, Automation and Response (SOAR) to overcome these common problems and according to the Ponemon survey results for enterprises, automation, orchestration and machine-learning technologies were deployed by only 28 percent of organizations (the lowest of the technologies surveyed), yet provided the second highest cost savings for security technologies overall, at $2.9 million.

A proactive approach to cybersecurity

The most effective way to save your business from a costly cyber attack is to employ a solid security program that will help to prevent security incidents leading to potential breaches. Whether you decide to create an in-house security team or outsource experts to do this for you, the first action is to take all the necessary steps to protect your business and implement proactive security solutions that will tackle incidents in real time, before they have time to do any damage. Speaking of damage, we’re not only talking about financial losses; security breaches can do serious damage to your brand and credibility, causing a lack of trust among clients and stakeholders, and the recovery from this may take many months or even years.

Regardless of organization size or structure, when determining an organization's overall cybersecurity strategy, it largely comes down to an important factor which is unique to each business; risk. The organization will need to determine the level of risk it is prepared to take and this will likely influence the nature of the overall strategy which is undertaken, regardless of the associated costs. Whether risk averse or more risk tolerant, there are a number of security areas that should be considered in order to protect your business against the increasing number and advancing sophistication of today’s cyber threats. Here are some areas to consider based on a typical information risk management regime:

• Secure Configuration

• Network Security

• User Education and Awareness

• Managing User Privileges

• Incident Management

• Malware Prevention

• Monitoring of Systems and Traffic

• Home and Mobile Working

• Removable Media Controls

Conclusion

Needless to say, as the level of risk perceived by the organizations increases, so will the level of cost that needs to be invested. Reducing this risk by implementing the right solutions and having the right skilled professionals in place is of utmost importance, but creating a huge budget for cybersecurity could prove worthless without the skilled staff in place to effectively manage the security program. It is important for organizations, whether large or small, to create and nurture a new modern cybersecurity culture, while keeping the doors for threat actors tightly closed.

“Increased awareness of people-based threats and adopting breakthrough security technologies are the best way to protect against the range of cyber risks,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.