Cyber attack prevention better than cure
8 April 2020 | 0
According to a new study from the Ponemon Institute, the economic value of cyber attack prevention ranges from $396,675 (€364,832) to $1,366,365 (€1,256,680), depending on the nature of the attack.
The figures are derived from a comparison of the cost of prevention over the entire cyber security lifecycle of detection, containment, remediation, and recovery.
For example, the average cost of a phishing attack was estimated at $832,500 (€766,025), where as the study determined that the cost saving resulting from the ability to prevent such attacks was $682,650 (€628,140).
The study entitled “The Economic Value of Prevention in the Cybersecurity Lifecycle” found that while the majority of cyber security professionals (70%) felt the ability to prevent attacks from penetrating their networks would improve their cyber security posture and reduce the cost of an attack, only a fifth (21%) of budgets are allocated to attack prevention. The majority (79%) of budget allocation is delegated for detection, containment, recovery and remediation activities.
The study asserts that effective adoption of a preventative solution, when compared to the current spending of security departments and the cost of attacks, would result in significant cost reductions and require lower overall investment.
“This study shows that the majority of companies are more effective at containing cyber attacks after they happen because it is perceived to be more accountable. This explains why cybersecurity budgets focus on containing attacks rather than preventing them, as well as the increased rate of breaches despite investments in cybersecurity solutions,” said Dr Larry Ponemon, chairman and founder, Ponemon Institute. “Prevention of cyberattacks is perceived to be too difficult, but as companies continue to suffer revenue losses due to cyber breaches, we expect budgets to start allocating increased resources to preventative solutions given the amount of money they save.”
The clear benefit of prevention, the study states, is reflected by the two thirds (67%) of respondents who believe the use of automation and advanced AI such as Deep Learning would improve their ability to prevent attacks, and that, despite the current perceived difficulty, they intend to implement these technologies within the next two years.
The study also found that with an average budget of $13 million (€11.9 million) for IT security, half of respondents say their organisations are wasting limited budgets on investments that do not improve their cyber security posture, and only 40% believe that budgets are sufficient.
Prevention was perceived to be the most difficult to achieve in the cyber security lifecycle according to 80% of respondents. The reasons cited are that it takes too long to identify, insufficient technology and lack of in-house expertise.
Furthermore, organisations are more effective at containing cyber attacks. More than half (55%) of respondents feel they can contain attacks after they happen, and this priority leads IT teams to allocate larger portions of their budgets to containment, rather than prevention.
The study, carried out by the Ponemon Institute with Deep Instinct, surveyed more than 600 IT and IT security practitioners with knowledge of their organisations’ cyber security technologies and processes, with most having responsibility for maintaining and implementing security technologies, conducting assessments, leading security teams and testing controls.