Many organizations have yet to create an effective cybersecurity strategy – and it’s costing them millions.
The costs associated with data breaches continue to grow at a pace that exceeds the resources available to protect the organizations dealing with the breaches. Two new reports, from IBM and EY, make that same point with different data and slightly different, but definitely related, conclusions. Together they provide a picture of security incidents that are inevitably expensive but can be made less so through careful planning.
The first study, commissioned by IBM and conducted by the Ponemon Institute, looks at the cost of data breaches from the perspective of business continuity management (BCM). The study breaks the costs associated with a breach into four areas:
Detection and escalation: Finding out you’ve been breached and deciding what to do about it.
Notification: Telling the affected customers, partners, and employees about the breach and notifying any relevant regulators or law-enforcement agencies.
Ex-post response: Remediating the impact on the organization and the individuals affected by the breach.
Lost business cost: Business lost due to the reputation hit, distraction, or downtime due to the incident.
According to the study, 22 different factors — ranging from the lack of security analytics to the presence of the Internet of Things — can have an impact on the cost, with the overall thrust being that time equals money: The longer it takes to figure out what has happened and to do something about it, the more money the effort will consume. And in 2018, the average incident has consumed $4.24 million in the population studied.
EY also studied the cost of a cybersecurity breach, but from a slightly different perspective: that of cybersecurity in the context of overall business advantage. While 55% of the companies also surveyed by Ponemon on its behalf had some sort of business continuity management team in place, EY found that 87% of the companies were working with limited cybersecurity and resilience capabilities. While the two facts are not mutually exclusive, they suggest that companies have business continuity or cybersecurity teams who operate within very tightly constrained resources.
Those constrained resources still have room for cybersecurity incidents that cost companies an average of $3.62 million per incident. While a different total than in IBM’s study, the two numbers are in the same financial neighborhood, with each representing a significant sum for many organizations.
With different beginning points for their work, the two report reach different conclusions. The IBM report focuses on the impact that a BCM team and plan can have on the cost of an incident once it has occurred. According to the report, an in-place BCM team can save 82 days throughout the total span of an incident, save the company more than $5,700 per day, and lower the overall cost of an incident to an average of $3.55 million.
EY makes the point in its report that organizations must do three things simultaneously:
Protect the enterprise: Identify assets and build lines of defense.
Optimize cybersecurity: Stop low-value activities, increase efficiency, and reinvest the resulting funds in innovative security technology.
Enable growth: Implement security-by-design as a key success factor for digital transformation.
All are critical in the face of 6.4 billion fake email messages sent every day, EY says. The overwhelming number of potential attacks launched against organizations means that cybersecurity must be part of the business strategy and reflected in the organization’s governance. Yet, according to the report, “At the moment, there is significant room for improvement. Fewer than 1 in 10 organizations say their information security function currently fully meets their needs — and many are worried that vital improvements are not yet under way.”
With approaches that include working to prevent incidents and preparing to deal with incidents when they do occur, the studies show that many organizations have yet to effectively create a cybersecurity strategy that meets the needs of the business — or the incident at hand.