Photographee.eu - Fotolia
Reports published this week aimed to quantify the monetary damages associated with cybercrime and recovering from a cyberattack, but budget constraints can make it difficult for organizations to cope with the rising costs.
For the 2015 Cost of Cyber Crime Study, Ponemon Institute LLC, sponsored by HP Enterprise Security, interviewed 58 U.S.-based organizations and a total of 252 organizations in seven countries around the world to determine the average costs of a breach, as well as costs to recover. They found that those costs continue to rise.
Kaspersky Labs released Damage Control: The Cost of Security Breaches, for which they surveyed 5,500 companies in 26 countries to determine the costs of recovering from a cyberattack.
The resulting numbers don't quite match. Ponemon Institute found that it took organizations an average of 46 days and just under $2 million to recover from each cyberattack. Kaspersky Labs, however, put recovery costs at an average of $551,000 for enterprises and $38,000 for small businesses, with costs increasing when reputation damage and costs for training and infrastructure upgrades are included.
The Ponemon study looked mostly at overall cybercrime costs and found that the mean annualized cost per organization was $15 million per year, with a range from $1.9 million to $65 million each year per company. There was a positive relationship between organizational size and cost, but smaller businesses were found to incur a significantly higher per-capita cost than larger organizations at $1,571 versus $667, respectively.
Mitigating the rising costs
Both studies agreed that the most common attack type was perpetrated through malicious code, while Kaspersky found that failure of third-party suppliers was responsible for the greatest impact on the cost of a data breach. Kaspersky also dove into the various ways that the cost of a breach will manifest, including loss of access to critical business information and lawyer/consultant fees.
Marc Shinbrood, vice president of Web application security at Trustwave Holdings Inc., based in Chicago, said that spending on consultants may not result in meeting the needs unique to each enterprise.
"Companies need to make sure that aggressive security testing is a priority. Many companies will bring in consulting firms to do a study, or look to other organizations for direction on security," Shinbrood said. "Rather, enterprises should test their own environment and look for trends in their own business, and then take appropriate actions. A good example of the reasoning behind this is if you buy a car based on what your neighbor has, will the car fit your own set of unique needs?"
While both reports looked at the significant and often rising costs of cyberattacks and recovery, experts admitted that one of the most difficult tasks for IT professionals can be getting access to more budgetary resources. So, the answer may lie in where resources are allocated.
Chris Doggett, managing director of Kaspersky Lab North America, said that any budget considerations must first take into account a baseline set of technologies needed by all organizations.
"Effective endpoint protection against cyberattacks must combine several different security technologies, such as malware detection, Web security controls, exploit protection, advanced firewall capabilities and host intrusion prevention. The first and primary objective should be to choose an endpoint security solution, which has the best possible protection as their primary selection criteria," Doggett said. "Only after satisfying this need should organizations look to invest additional budget into 'layers' of security that are provided by products and services that address the vulnerabilities and exposures that are specific to their infrastructure, user base and business processes."
Larry Ponemon, founder of the Ponemon Institute in Traverse City, Mich., said that once you are looking at how resources are allocated towards security at different network layers, organizations may find that one layer is getting more than it should.
"It seems like in the traditional security budget, the lion's share, under the category of enabling technology, would be network security technology, which is traditional perimeter control -- firewall, IPS and similar," Ponemon said. "But when you look at where the actual threat vector is located or the likelihood of an attack, it's normally in the application layer much more so than in the network layer."
Ponemon noted that the survey data showed companies slowly shifting budget resources away from the network security layer and towards the application layer. According to the report, application layer spending rose from 15% of the budget in 2013 to 20% in 2015, while network security spending dropped from 40% to 36% in that same timeframe.
Morey Haber, vice president of technology at BeyondTrust Inc., in Phoenix, said that organizations tend to focus too much on the amount of data to be secured and not enough on access management.
"There is an inherent notion that just because we store more data, the amount of security tools (and costs) to protect the data and systems needs to increase as well. The best approach for mitigation is not to constantly build more defenses around the access to the data, but rather embrace the concept of least privilege and only provide access on a need-to-know basis," Haber said. "Implementations of least privilege reduce the noise of who has access and allows more efficient monitoring of when access does occur by end user and application -- even between assets. When access does occur that is not desirable, it is much easier to identify using traditional SEIM solutions or even advanced analytics, because the noise has been virtually eliminated."
The Ponemon Institute study also calculated the technologies that could save a company the most money in the event of a breach would be security intelligence systems, GRC tools or access governance tools. However, when taking into account the costs of these technologies, access governance tools and GRC tools don't offer the same return on investment (ROI) as encryption technologies or perimeter controls and firewall technologies, according to the report.
Travis Greene, identity solutions strategist at Houston-based NetIQ, said this kind of ROI data could help in changing how executives view common security spending.
"We tend to think of security spend as insurance -- not really helping the bottom line, but as a necessary overhead. The report provides some information on ROI of security spend, which puts into perspective the breach costs that are becoming common to all companies, given the growth in cybercrime," Greene said. "Therefore, I think it's premature to surrender to a scarcity mind-set and assume there isn't more budget for IT security. But reallocation of security budget from network security to securing access to data is certainly a smart move -- we need to focus on what the criminals are after."
Doggett warned that, ultimately, the constant stream of news concerning security breaches could desensitize IT professionals to the dangers.
"We must not become complacent. There is a risk that some businesses conclude that 'we have probably done enough,' or think that since it apparently happens to everyone that the reputation costs are likely to be more fleeting or easily dealt with; however, this is not the case," Doggett said. "As the sophistication of cybercriminals continues to advance and the black market for stolen information becomes more and more developed, the negative impact of cyberattacks also continues to grow. We must continue to provide a strong emphasis on continuous improvement in the realm of security and companies must continue to view investment in security as a top priority."
Understand how to secure against layer 7 attacks using application layer gateways.
See whether runtime application self-protection (RASP) is right for the enterprise.