Every CISO faces the unique challenge of justifying a budget whose ROI is predominantly measured by what never happened.
Fortunately, the Ponemon Institute's latest
report, "The Economic Value of Prevention in the Cybersecurity Lifecycle," might just hold the keys to your organization's vault. The study, based on responses
from more than 600 IT and IT security practitioners, found that on average cybersecurity prevention saves companies upwards of half a million dollars per breach.
Let's break these numbers down.
This is the first study of its kind to look at the entire cybersecurity lifecycle from detection and containment all the way through remediation and recovery. What
they've found is that an investment in preventing a breach would save the company from $396,675 to $1,366,365, depending on the type of attack.
- Ransomware – Cost per breach: $440,750 | Cost to prevent: $44,075 | Average savings: $396,675.
- Spyware – Cost per breach: $691,500 | Cost to prevent: $179,790 | Average savings: $511,710.
- Phishing – Cost per breach: $832,500 | Cost to prevent: $149,850 | Average savings: $682,650.
- Zero-day – Cost per breach: $1,238,000 | Cost to prevent: $148,560 | Average savings: $1,089,440.
- Nation-state – Cost per breach: $1,501,500 | Cost to prevent: $135,135 | Average savings: $1,366,365.
It's especially worrisome, then, that the study found that only 21% of security budgets are allocated toward prevention, with the remaining 79% set aside for
detection, containment, recovery and remediation. "This study shows that the majority of companies are more effective at containing cyberattacks after they happen
because it is perceived to be more accountable," said Dr. Larry Ponemon, the Chairman and Founder of the Ponemon Institute. "Prevention of cyberattacks is
perceived to be too difficult, but as companies continue to suffer revenue losses due to cyber breaches, we expect budgets to start allocating increased
resources to preventative solutions given the amount of money they save."
Unfortunately, however, it's not simply a matter of the size of the budget, but also of the efficiency of how the money is put to use. A full half of respondents
pointed out that "their organizations are wasting limited budgets on investments that don't improve their cybersecurity posture." This points to the
micro-management on the c-suite level that is preventing CISOs and their department heads from both determining and executing on their highest priorities.
We've covered these issues in an earlier post, along with suggestions on how to help tilt the power in the CISO's favor.
On the flip side, most organizations reported that they will be increasing their cybersecurity budget, with less a quarter planning to decrease it. How the
economic fallout from COVID-19 will affect these projections remains to be seen.
Finally, the number one cause of an attack remains the people, not the technology of the organization. The study found that negligent employees or other insiders
represented the highest threat, followed by third-party flaws and lack of endpoint security. The most common attack vectors are as follows:
- Phishing: 47%
- DNS-based attacks: 40%
- Electronic agents like viruses and bots: 35%
- DDoS: 34%
- Ransomware: 32%
The ability of CISOs to translate technical issues into business jargon, such as Risk Appetite Statements, will be the defining security trend of 2020. In crucial
ways it will be cultural adjustments such as these that will provide the sorely needed expenditure increases in cybersecurity. So, next time you find yourself in
a (Zoom) boardroom filled with skeptical associates, just remember: the data is on your side.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.