Cybercrime is on the rise, successful breaches per company each year has risen more than 27%, from an average of 102 to 130. Ransomware attacks alone have doubled in frequency, from 13% to 27%, with incidents like WannaCry and Petya affecting thousands of targets and disrupting public services and large corporations across the world.
According to the Accenture Report, one of the most significant data breaches in recent years has been the successful theft of 143 million customer records from Equifax—a consumer credit reporting agency—a cybercrime with devastating consequences due to the type of personally identifiable information stolen and knock-on effect on the credit markets. Information theft of this type remains the most expensive consequence of a cybercrime.
Among the organisations we studied, information loss represents the largest cost component with a rise from 35% in 2015 to 43% in 2017. It is this threat landscape that demands organisations re-examine their investment priorities to keep pace with these more sophisticated and highly motivated attacks.
To better understand the effectiveness of investment decisions, we analysed nine security technologies across two dimensions: the percentage spending level between them and their value in terms of cost-savings to the business. The findings illustrate that many organisations may be spending too much on the wrong technologies. Five of the nine security technologies had a negative value gap where the percentage spending level is higher than the relative value to the business. Of the remaining four technologies, three had a significant positive value gap and one was in balance.
So, while maintaining the status quo on advanced identity and access governance, the opportunity exists to evaluate potential over-spend in areas which have a negative value gap and rebalance these funds by investing in the breakthrough innovations which deliver positive value.
HIGHLIGHTS FROM THE FINDINGS INCLUDE:
Security intelligence systems (67%) and advanced identity and access governance (63%) are the top two most widely deployed enabling security technologies across the enterprise. They also deliver the highest positive value gap with organisational cost savings of $2.8 million and $2.4 million respectively.
As the threat landscape constantly evolves, these investments should be monitored closely so that spend is at an appropriate level and maintains effective outcomes. Aside from systems and governance, other investments show a lack of balance. Of the nine security technologies evaluated, the highest percentage spend was on advanced perimeter controls. Yet, the cost savings associated with technologies in this area were only fifth in the overall ranking with a negative value gap of minus 4. Clearly, an opportunity exists here to assess spending levels and potentially reallocate investments to higher-value security technologies.
Spending on governance, risk and compliance (GRC) technologies is not a fast-track to increased security. Enterprise-wide deployment of GRC technology and automated policy management showed the lowest effectiveness in reducing cyber crime costs (9% and 7% respectively) out of nine enabling security technologies. So, while compliance technology is important, organisations must spend to a level that is appropriate to achieve the required capability and effectiveness, enabling them to free up funds for breakthrough innovations.
Innovations are generating the highest returns on investment, yet investment in them is low. For example, two enabling security technology areas identified as “Extensive use of cyber analytics and User Behaviour Analytics (UBA)” and “Automation, orchestration and machine learning” were the lowest ranked technologies for enterprise-wide deployment (32% and 28% respectively) and yet they provide the third and fourth highest cost savings for security technologies. By balancing investments from less rewarding technologies into these breakthrough innovation areas, organisations could improve the effectiveness of their security programs.
By taking the following three steps, organisations can further improve the effectiveness of their cybersecurity efforts to fend off and reduce the impact of cybercrime:
Build cyber-security on a strong foundation
Invest in the “brilliant basics” such as security intelligence and advanced access management and yet recognise the need to innovate to stay ahead of the hackers.
Undertake extreme pressure testing
Organisations should not rely on compliance alone to enhance their security profile but undertake extreme pressure testing to identify vulnerabilities more rigorously than even the most highly motivated attacker.
Invest in breakthrough innovation
Balance spend on new technologies, specifically analytics and artificial intelligence, to enhance program effectiveness and scale value.
Organisations need to recognise that spending alone does not always equate to value. Beyond prevention and remediation, if security fails, companies face unexpected costs from not being able to run their businesses efficiently to compete in the digital economy.
Knowing which assets must be protected, and what the consequences will be for the business if protection fails, requires an intelligent security strategy that builds resilience from the inside out and an industry-specific strategy that protects the entire value chain. As this research shows, making wise security investments can help to make a difference.
The post The cost of cybercrime study – insights on security investments that make a difference appeared first on Payments Cards & Mobile.
