New research claims that a single cyber-security incident now costs large businesses £652,000, while smaller enterprises and SMBs pay out an average of £65,500 per incident.
In all cases, the financial impact appears to increase with time, with rapid detection of a data breach or incident a key factor in reducing not only data loss but overall financial cost to the business. SMBs on average pay 44 per cent more to recover from attacks discovered a more than a week after the initial breach, as opposed to attacks discovered within 24 hours. Enterprises pay a considerably lower 27 per cent premium given the same situation.
“Even pwhen breaches are detected almost instantly, SMBs estimate a cost to their business of $28k, rising to $105k if undetected for more than a week. For enterprises, where a detection system is in place, the estimated financial damage is still $393k, increasing to over $1m if it remains undetected for over seven days”, said the report from Kaspersky. Interestingly, the 2015 report from the same vendor found that the damage from each incident averaged $38,000 USD, or more than £28,000 today, a cost of less than half the 2016 figure. For one in ten (10 per cent) of US businesses it can take up to a year to discover that a breach has occurred at all.
Timeliness is always a key factor in security calculations, not only in terms of limiting damage after a breach or attack has begun, but in actively seeking out and closing vulnerabilities before the attackers arrive. Of course, this is easier said than done, as having the manpower to constantly manually probe for weaknesses is beyond any organisation. Traditional penetration testing may provide a bellwether moment, a report based on a point in time, but the longevity of the results is short.
As Ilia Kolochenko, CEO High-Tech Bridge said to CSO Online: “[This is] because penetration testing is not scalable and cannot be used in a 24/7 continuous mode. Even if you can afford monthly penetration testing, nobody can guarantee that within the 30-day period no zero-days will go public, or your web developers will not make a dangerous error in the code. “Penetration testing can perfectly complement your continuous monitoring, but it can never replace it. This is why MIT folks say that the future belongs to hybrid systems that combine 24/7 continuous monitoring leveraging machine-learning, but supervised and managed by humans.”
The report went on to investigate the budgets of the 4,000 businesses from 25 countries, discovering that the general expectation is for IT security budgets to grow at least 14 per cent over the next three years. However, small businesses in particular are already suffering a disconnect, with only 18 per cent of their total IT budget going on security, while bigger enterprises are racing ahead, allocating 21 per cent of their budget already. Unsurprisingly, the variation between small and large business budgets was huge, from just $1,000 for very small businesses to more than one million US dollars for large companies.
All businesses in the survey cited IT infrastructure complexity as a key reason to invest in security: 48 per cent of enterprises and 42 per cent of SMBs. However, while complexity may seem like a good reason for increased investment, it may not deliver the results you need as a security professional. Appealing to the board’s sense of Return on Investment (ROI) is a much surer method of gaining additional security budget, and also quantifying very carefully the most efficient and effective solutions and products that will achieve this return.
For example, in order to protect the average web front-end installing a Web Application Firewall (WAF) is a good idea to damp down non-sophisticated ‘noise’ attacks, followed by a solution that offers continuous security monitoring (like ImmuniWeb), and finally regular manual or hybrid assessments involving third-party experts. The cost of this package can be easily calculated, and then worked back into your wider ROI calculation, based on the risk assessment you undertook to begin with.