Many organizations have yet to create an effective cybersecurity strategy — and it's costing them millions.

The costs associated with data breaches continue to grow at a pace that exceeds the resources available to protect the organizations dealing with the breaches. Two new reports, from IBM and EY, make that same point with different data and slightly different, but definitely related, conclusions. Together they provide a picture of security incidents that are inevitably expensive but can be made less so through careful planning.

The first study, commissioned by IBM and conducted by the Ponemon Institute, looks at the cost of data breaches from the perspective of business continuity management (BCM). The study breaks the costs associated with a breach into four areas:

  • Detection and escalation: Finding out you've been breached and deciding what to do about it.

  • Notification: Telling the affected customers, partners, and employees about the breach and notifying any relevant regulators or law-enforcement agencies.

  • Ex-post response: Remediating the impact on the organization and the individuals affected by the breach.

  • Lost business cost: Business lost due to the reputation hit, distraction, or downtime due to the incident.

According to the study, 22 different factors — ranging from the lack of security analytics to the presence of the Internet of Things — can have an impact on the cost, with the overall thrust being that time equals money: The longer it takes to figure out what has happened and to do something about it, the more money the effort will consume. And in 2018, the average incident has consumed $4.24 million in the population studied.

EY also studied the cost of a cybersecurity breach, but from a slightly different perspective: that of cybersecurity in the context of overall business advantage. While 55% of the companies also surveyed by Ponemon on its behalf had some sort of business continuity management team in place, EY found that 87% of the companies were working with limited cybersecurity and resilience capabilities. While the two facts are not mutually exclusive, they suggest that companies have business continuity or cybersecurity teams who operate within very tightly constrained resources. 

Those constrained resources still have room for cybersecurity incidents that cost companies an average of $3.62 million per incident. While a different total than in IBM's study, the two numbers are in the same financial neighborhood, with each representing a significant sum for many organizations.

With different beginning points for their work, the two report reach different conclusions. The IBM report focuses on the impact that a BCM team and plan can have on the cost of an incident once it has occurred. According to the report, an in-place BCM team can save 82 days throughout the total span of an incident, save the company more than $5,700 per day, and lower the overall cost of an incident to an average of $3.55 million.

EY makes the point in its report that organizations must do three things simultaneously:

  • Protect the enterprise: Identify assets and build lines of defense.

  • Optimize cybersecurity: Stop low-value activities, increase efficiency, and reinvest the resulting funds in innovative security technology.

  • Enable growth: Implement security-by-design as a key success factor for digital transformation.

All are critical in the face of 6.4 billion fake email messages sent every day, EY says. The overwhelming number of potential attacks launched against organizations means that cybersecurity must be part of the business strategy and reflected in the organization's governance. Yet, according to the report, "At the moment, there is significant room for improvement. Fewer than 1 in 10 organizations say their information security function currently fully meets their needs — and many are worried that vital improvements are not yet under way."

With approaches that include working to prevent incidents and preparing to deal with incidents when they do occur, the studies show that many organizations have yet to effectively create a cybersecurity strategy that meets the needs of the business — or the incident at hand.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights