Adopt a cost-benefit analysis approach to cybersecurity


Cyber ​​security is a volatile and complex arena. The digital landscape has never been so hostile, and recent changes in the way we work have introduced risks that all organizations must understand and manage.

The world of work has changed rapidly since March 2020 and technology has helped to facilitate our new hybrid working lives. But as the way we work has changed, hackers have seized the opportunity to target us with increasingly sophisticated and damaging cyber attacks.

IT leaders recognize that they must adapt their cybersecurity postures to protect their organizations, and that this involves investments. However, board buy-in for this investment can be difficult to secure if board members see cybersecurity as an avoidable cost that they can afford to avoid.

If you’re interested, a cybersecurity cost-benefit analysis approach might just be the best way to engage your board. In this article, we’ll take a look at the top cybersecurity threats organizations face in 2021 and explain how a cost-benefit analysis approach is the best way for IT managers to get the investment they need to make it. face.

Main cybersecurity threats in 2021

The massive increase in remote working we have seen over the past 18 months has not gone unnoticed by hackers, who have evolved their tactics to take advantage of increased attack surfaces as users are forced to work. outside of their secure corporate networks. Among the cyber threats we face, three reign supreme: phishing, ransomware and business email compromise attacks:

Phishing emails are sent by hackers and claim to be from someone the recipient trusts, such as their bank or a coworker. Their goal is to convince the victim to do something the hacker can use to their advantage, such as clicking a link to a malicious website or providing a username and other personal information. Phishing emails are one of the main methods used by hackers to deploy ransomware and business email compromise attacks.

Business email compromise attacks target employees of an organization by sending emails that fraudulently mimic senior colleagues or trusted customers. The emails use social engineering techniques to issue illicit instructions, such as approving payments to hackers’ bank accounts or disclosing confidential customer data that can be leaked on the Dark Web.

The main objective of Ransomware is to extort money from infected organizations and individuals. It does this by encrypting files connected to affected machines, rendering them unusable, and then threatening to release stolen confidential information on the public Internet. Once the files are encrypted, the user is notified and prompted to pay money, usually in cryptocurrency, in order to obtain a key that will decrypt the files.

In order to protect your organization against these malicious threats, you will need to make smart cyber investments that will minimize the risks as much as possible. Let’s take a look at how you can get buy-in for these investments.

A cost-benefit analysis approach to cybersecurity

A cost-benefit analysis is a method used to evaluate a project by comparing its losses and gains – essentially a quantified and qualified list of advantages and disadvantages. Undertaking a cost-benefit analysis is a great way to evaluate projects because it reduces the complexity of the evaluation to single digits. As you can imagine, this makes a cost-benefit analysis an invaluable tool when it comes to explaining the specifics and selling the value of a strong cybersecurity strategy to your board.

One of the most important things to emphasize in your cost-benefit analysis is the trade-off between paying to avoid a mess and paying to clean up a mess. A recent Cabinet Office report said the estimated cost of cybercrime to the UK economy is £ 27 billion.

And when it comes to individual attacks, an April 2021 Sophos survey found that the average total cost of recovery from a ransomware attack more than doubled in one year, from $ 761,106 in 2020 to $ 1.85 million. dollars in 2021.

Of course, investing in preventive cybersecurity measures also comes at a cost. Research firm Gartner predicts that global spending on information security and risk management services will reach $ 150.4 billion in 2021, an increase of 12.4 percent from 2020.

In this context, one thing remains in the foreground: For almost all organizations, the cost of prevention is paltry compared to the cost incurred by a successful cyberattack. So how do you apply a cost-benefit analysis to get board buy-in to your cybersecurity strategy?

How to take a cost-benefit analysis approach

Taking a cost-benefit analysis approach is about determining the risks you are willing to accept and comparing the costs of those risks against the benefits. This involves thinking about the direct and indirect risks you face, as well as the direct and indirect costs that could result from taking those risks. Here are some examples:

Direct costs such as ransom payments or expenses associated with identifying, mitigating and quarantining a threat.

Indirect costs such as downtime, operational disruption, damage to reputation, internal time and resources, as well as legal and non-compliance costs.

It is useful to think about both direct and indirect factors when applying a cost-benefit analysis approach. For example, you can compare:

The cost of disruption to business revenue (direct) and lost productivity (indirect) due to a ransomware attack has been weighed against the cost of preventing a data breach by investing in a “defense in depth” cybersecurity approach.

The cost of operational disruption (direct) and decreased future revenue (indirect) were weighed against the cost of preventing an attack by investing in building an internal team.

Taking a cost-benefit analysis approach when speaking to your board involves coming up with options you could undertake to achieve your project goals. So you’ll want to keep breaking things down and playing around with various risks, costs, and outcomes.

Embark the board

Risk management is about managing uncertainties. When it comes to preventing costly cyber attacks, it’s hard to avoid concluding that there is significant value in investing in cybersecurity measures in order to avoid paying a higher price down the road.

The good news is that today’s leaders say they are more open than ever to new cybersecurity strategies. In 2020, 50% of executives said they were ready to see cybersecurity as a factor in every business decision (up from just 25% the year before). Take this opportunity to lay a foundation that will help create a sustainable and secure future.

Phil Atkin, Sales Director – Cybersecurity, Six Degrees


Comments are closed.