As cyber attacks against enterprises get smarter and more inventive, making the right security investments could mean the difference between being safe and being hacked.
One of the biggest problems with cybersecurity is the constantly evolving nature of security risks. As criminals advance in their methods and motives to target companies globally, the traditional approach of focusing on the “biggest known threats," is fast proving to be insufficient. A study conducted by the Ponemon Institute and Accenture titled "Cost of Cyber Crime" showed that successful breaches per company each year has risen more than 27 percent, from an average of 102 to 130. Meanwhile, the European Union police body Europol, said the size of recent ransomware attacks such as WannaCry and Petya is “unprecedented".
In India, according to industry body Assocham, attacks on Indian websites have increased nearly five times in the past four years. As India sees a shift towards a cashless economy, these threats are even more likely to rise.
In response to the rising wave of cyber crime, the current generation of businesses has ramped up its investment in cybersecurity. With worldwide spend on cybersecurity expected to cross $100 billion in 2018, a better understanding of which security measures deliver the best efficiency and effectiveness could help executives get better value for the money spent on security.
The true cost of cyber crime
There are four primary consequences of a cyber attack: business disruption, loss of information, loss of revenue, and damage to equipment. The most damaging of those is loss of information, as mentioned by 43 percent of organizations represented in the study. In contrast, the cost of business disruption, such as business process failures following an attack, has decreased from 39 percent in 2015 to 33 percent in 2017.
Due to the rising needs of security, managing incidents themselves or spending to recover from the disruption to the business and customers, organizations are now investing about $11.7 million per company –up 23 percent – on cyber crime.
However, current spending priorities show that much of this is misdirected toward security capabilities that fail to protect against increasingly creative attackers, according to the Accenture - Ponemon study.
Of the nine commonly used security technologies analysed for the study, the highest percentage spend was on advanced perimeter controls. However it was ranked fifth in terms of return on investment, with companies saving a modest $1 million annually by deploying perimeter controls. In fact, five out of the nine commonly used security technologies showed that the percentage of resources spent on the technology was higher than the relative value to the business.
Extensive use of data encryption and measures to prevent data loss - common safeguards taken by businesses – were also shown to cost more than they saved in case of a cybersecurity breach.
The study, which polled 2,182 security and IT professionals in 254 organizations worldwide, showed that among the most effective categories in reducing losses from cybercrime are security intelligence systems, which help companies identify and prioritize internal and external threats.
Security intelligence systems delivered annualized cost savings of $2.8 million, higher than all other technology types included in the study. Cyber Analytics and User Analytics came second. To better prepare for future attacks, businesses can rethink their cybersecurity spending and potentially reallocate investments to higher-value security technologies, the study said.
The way forward
As the cybercrime landscape evolves both in complexity and volume, it seems evident that breakthrough innovations are likely to generate the highest returns on investment. For example, automation, orchestration, and machine learning technologies provided the third highest cost savings for security technologies overall at $2.2 million annually; however, these technologies were deployed by only 28 percent of the organizations – the lowest of the technologies surveyed.
The foundation to a strong security program, therefore, is to identify and “harden" the higher-value assets. These are the “crown jewels" of a business—the assets most critical to operations, subject to the most stringent regulatory penalties, and the source of important trade secrets and market differentiation. Hardening these assets makes it as difficult and costly as possible for adversaries to achieve their goals, and limits the damage they can cause if they do obtain access.
Businesses need to be proactive in their approach to cybersecurity instead of equating spending with less risk of attacks. Beyond prevention and remediation, if security fails, companies face unexpected costs from not being able to run their businesses efficiently. Knowing which assets must be protected, and what the consequences will be for the business if protection fails, requires a well-thought out security strategy that builds resilience from the inside out and an industry-specific strategy that protects the entire value chain, recommends the Accenture study.
Instead of relying on compliance alone to enhance their security profile, businesses must undertake extreme pressure testing to identify vulnerabilities more rigorously than even the most highly motivated attacker.
This suggests that companies can maximize their digital defenses without increasing their overall costs, by balancing investments from less rewarding technologies into breakthrough innovation areas and getting their basics right.