ESI ThoughtLab looked to put some tangible figures on what investing in cybersecurity can do, especially during the coronavirus pandemic.
The firm recently released a comprehensive study conducted that reveals increased investment in cybersecurity can generate a significant return on investment of 179% and provide greater protection as companies cope with the fallout from COVID-19.
ESI ThoughtLab explained that it benchmarked the cybersecurity investments, practices, and performance metrics of 1,009 firms across 13 industries and 19 countries to identify the most effective approaches for mitigating cybersecurity risks and losses. This ground-breaking research was conducted in conjunction with an advisory group of cybersecurity, cyber insurance, and technology specialists, including Arceo.ai, Check Point Software, Cowbell Cyber, Edelman, Fiserv, KnowBe4, Optiv and Verizon Business.
The analysis found that last year firms surveyed spent $9.6 million on average on cybersecurity — $515 per employee — and 97% of those expect to increase their spending by an average of 14% this year (pre-COVID-19 estimates).
Companies are investing in three areas: people, process, and technology. While the average ROI is 179%, it ranges from 271% for investments in people, 156% for process and 129% for technology.
According to the research, on average, investments in people result in a 46% decline in the probability of a breach versus 30% for process and 37% for technology.
“These cybersecurity investments can generate enormous ROI for companies, particularly for those in earlier stages of cybersecurity maturity,” said Lou Celi, chief executive officer of ESI ThoughtLab and the program director of the research.
“The reliance on digital technology during the pandemic, together with the rise of remote working, shopping, and healthcare, have served as a stress test for corporate cybersecurity systems,” Celi continued in a news release
“Our (chief information security officer) interviews have revealed that companies with advanced protection, detection and response frameworks, backed up by strong cybersecurity hygiene and governance, have fared well during the crisis,” Celi went on to say.
Companies still need to do more to combat rising threats
According to the surveyed companies, one in three attack attempts over the last year resulted in a successful breach.
While most cybersecurity breaches are minor, affecting only a small number of people or machines, ESI ThoughtLab discovered the average price tag per breach is around $330,000.
However, for firms that are in the top 10% in terms of breach costs, the average cost per breach is over $1.8 million.
Adding to the complexity, ESI ThoughtLab indicated that companies may be underestimating their exposure to a potential breach and overestimating the protection offered by their cybersecurity systems. While the average company assigns a 45% probability to a moderate or material breach, the research shows that the probability is much higher, ranging from 62% to 86%.
The research also showed that companies need to go well beyond compliance with cybersecurity frameworks, such as NIST or ISO, to be effective in reducing risks.
For example, only 64 of 151 companies (42%) classified as leaders in NIST compliance are advanced in cybersecurity effectiveness, according to the study’s rankings. Rather than applying the NIST framework as a box-ticking exercise, the most cyber-secure companies adapt this framework to their business goals, strategies, and individual risk profiles.
Cybersecurity leaders also combine analysis from advanced quantitative tools and input from internal business partners and third-party experts to make the best decisions, according to ESI ThoughtLab.
Even before COVID-19 hit, ESI ThoughtLab mentioned companies reported the largest losses from malware (66% of survey respondents), phishing (60%) and password reuse (49%), with cybercriminals cited as the biggest threat actors.
As business goes digital over the next two years, the research determined executives also expect an increase in attacks through artificial intelligence (38%), denial of service (34%), and web applications (29%).
With geopolitical and social unrest growing, and greater economic volatility ahead, ESI ThoughtLab pointed out CISOs in the financial, energy, automotive, retail and telecom sectors are bracing for a jump in cyber terrorism and activism, along with greater risks from nation-states.
The most successful approaches of companies advanced in cybersecurity
The study identified the practices of cybersecurity leaders that are most effective in mitigating cybersecurity risks and losses. Leaders commonly do six things that keep them well prepared for today’s high-risk environment:
1. Invest more in cybersecurity. Leaders spend about 25% more than others on cybersecurity per employee, increase those investments each year more than the average, and invest more than others in recruiting specialists, working with external consultants, and training, such as end-user security awareness training with simulated phishing.
2. Make cybersecurity hygiene a top priority. Leaders have the lowest percentage of “critical” unpatched or “high” vulnerabilities based on CVSS scores (18% for leaders vs. 28% for others). They also do more frequent backup restoration drills (5.6 times a year versus 4.3 for non-leaders), IT infrastructure scans (4.9 versus 3.4), and phishing tests (5.1 versus 4.4).
3. Keep management teams focused and aligned. Cybersecurity heads typically report into the CEO, COO, or the board in leader companies. CISOs at these firms focus more on security than IT (75% of leaders) and play a bigger role in managing data privacy (54%), digital transformation (57%) and operational resiliency (49%). Leaders are also more likely to make cybersecurity a shared responsibility of two executives, such as the CIO and CISO, or the CISO and CSO.
4. Rely heavily on advanced analytics and specialized teams. More than eight out of 10 leaders conduct cyber-risk scenario analysis, assess the financial impact of risk events, and measure the effects of mechanisms to mitigate cyber risks. Leaders also outsource incident response, red team, risk management, and security ops more often than others.
5. Extract greater value from cybersecurity tools. Leaders invest more heavily in — and achieve greater effectiveness from — key cybersecurity technologies, including cloud workload security, endpoint detection, mobile device management, deception technology, email filtering, multi-factor authentication, and firewalls and web filtering.
6. Make more use of cybersecurity insurance. Since it is impossible to mitigate all risk, leaders rely more on insurance to transfer it: 57% of leaders have cyber insurance coverage over $10 million, compared with 30% of non-leaders. Overall, six out of 10 firms plan to spend more on cybersecurity insurance over the next two years.
“Companies across the board are improving their cybersecurity practices and reducing their losses thanks to smart investments in people, process, and technology,” Celi said. “While these steps have helped contain cyberattacks during the pandemic, today’s turbulent environment has underscored the value of business continuity and resilience, as well as using advanced analytics to assess cyber risks in an interconnected world.”
The full findings of the study can be found at https://econsultsolutions.com/esi-thoughtlab/driving-cybersecurity-performance/.