Security professionals often face a tough challenge: justifying the cost of their department. While not a unique challenge, most teams can point to the revenue that they generate to justify their costs. But, when was the last time a customer based their purchase decision on the firewall version configured on your network? How about the vendor for your Intrusion Detection System (IDS)?
Nevertheless, the laundry list of tools, software, and personnel and the associated cost to manage a modern security program seems endless: from firewalls to IDS; from secure code scanning software to vulnerability scanners; from social awareness campaigns to anti-virus; the list goes on and on. And why do we spend all of this money? In case, something might perhaps happen at some point in the unknown future… maybe. Is it any wonder that executives and managers are prone to saying, “I accept the risk.”
How do we justify the cost of security then?
Fortunately, research teams have had time to review the results of hacks and breaches that have been reported over the past several years and provide the answer. Unfortunately, many companies had to get hacked to bring us this information.
According to a 2018 Ponemon study, the average cost of a single cybersecurity attack against small to medium size businesses was $383,365, including loss of normal operations and damage to IT infrastructure. That is just one attack! For the United States as a whole according to IBM Security, the average cost of a data breach, a cybersecurity attack where data was lost, was $7.91 million with $4.20 million (or 53%) of that as lost business and customers.
At the same time, Embroker reports that in 2016, a ransomware attack (where malware encrypts the computer’s memory and the hackers demand a ransom for the decryption key) claimed a victim every 40 seconds. In 2021, that number is supposed to drop to 11 seconds. That is nearly 6 ransomware victims per minute! Moreover, the average ransom paid to criminals in the third quarter of 2020 was $233,817.
Finally, CISQ reports that the overall cost of cyber attacks from 2014-2019 was $10.2 billion, with $3.5 billion in 2019 alone. Based on these trends, CISQ estimates that cybercrime will cost the United States approximately $1.92 trillion over the course of 2021. In addition, nearly half of all cyberattacks were against small businesses.
That is a lot of justification for your security budget.
Security News
Update on the Solarwinds hack: New information shows that there may have been additional threat actors involved and that up to 30% of hacked computers weren’t even running the vulnerable Solarwinds software. In addition, Solarwinds experienced one of the hidden costs of cyberattacks as its stock price plummeted following the attack whereas FireEye, the company that detected the initial problem, saw a significant spike in its stock prices.
Also, the Hacker News shared their Top Cyber Attacks of 2020. To the surprise of no one, the Solarwinds attack makes the list as well as numerous attacks against Coronavirus response efforts.