Cybersecurity spending today is at all-time high, and is poised for further growth. But cybercriminal activity—attacks, breaches and resulting damages—has also peaked. CEOs, CIOs, and budget-conscious investors are all asking: are the available IT security solutions worth their cost? Would it make more sense just to pay off the hackers? Do proactive approaches even work?
There’s little doubt that companies are investing more than ever before into IT security. Analysts at Gartner, Inc. estimate that enterprises worldwide will allocate more than $96 billion to their cybersecurity budgets in 2018, an increase of 8 percent from 2017 spending levels. Not only is spending forecast to increase, but the rate of increase is also expected to climb dramatically. In their 2018 Cybersecurity Market Report, for instance, researchers at Cybersecurity Ventures predict that total global expenditures on cybersecurity products and services will exceed $1 trillion between 2017 and 2021, with year-over-year growth rates between 12 and 15 percent.
And actual spending may well be even higher than these predictions suggest, since cybersecurity-related expenses are often incorporated within other areas’ budgets. Security services may be bundled with other IT solution costs, such as software development or infrastructure maintenance. Or they may be classified as “general operational expenses,” or compliance costs. This makes it increasingly difficult to accurately account for them.
What’s most troubling about these numbers, however, is that despite the high levels of spending that they clearly reveal, costs and losses attributable to cybercrime are also on the rise.
In IDG Research’s 2017 State of U.S. Cybercrime Survey, 68 percent of respondents indicated that despite spending more, their monetary losses due to cybersecurity events were the same or greater than the previous year. 6 percent fewer businesses did not report losses, and the number of events resulting in damages increased. Researchers at Cybersecurity Ventures predict that cybercrime will continue to increase in the coming years, and that by 2021 will cost global businesses more than $6 trillion annually.
Given statistics like these, and faced with tight budget constraints, it is tempting for business leaders to conclude that investing in cybersecurity is simply not worthwhile.
Would You Be Better Off Paying the Ransom?
Many decision-makers do in fact take this “save now, pay later” approach. More than a third of the 1,800 companies surveyed in NTT Security’s 2018 Global Threat Intelligence Report said that they’d consider paying a hacker’s ransom rather than investing in information security.
Worryingly, this data reveals that many executives remain unaware of the scope of the risks their organizations face. In the wake of highly publicized ransomware attacks like WannaCry and Petya/NotPetya, the report suggests that these decision-makers tend to overestimate the cost of preparedness while grossly underestimating the financial implications of failing to prepare.
Adding Up the True Costs
It is difficult to perform an accurate cost-benefit analysis when the costs involved are concrete and fixed, and the benefits are less tangible. When considering new cybersecurity investments, executives are presented with finite and predetermined costs: for hardware and salaries if developing in-house capabilities, or on a per-employee or per-device basis if outsourcing. The actual costs of an attack or breach are far more difficult to quantify, however.
Damage to brand image and reputation is of major concern to cyberattack victims. In the NTT Security Report, a majority of respondents feared that “loss of consumer confidence” or “damage to brand/reputation” would result from an information security breach. Although the consequences of tarnishing a brand are undeniably real, it is notoriously challenging to express these losses in financial terms. But in any industry with significant competition, customers lost because they no longer trust you in the wake of data compromise most likely will never return.
Other potential costs, too, are frequently ignored in cybersecurity risk calculations. Would your cybersecurity insurance premiums increase? Or might your insurer even refuse to pay out if you were shown to have neglected your responsibility to follow best practices? What would it cost to replace top talent if high-level employees resigned in the wake of the incident? And what damage would be done to your relationships with other vendors or business partners?
Tomorrow’s Risks Will Be Even Greater than Today’s
The threat landscape is ever-changing, and cybercriminals will continue to employ the tactics that give them results. The use of ransomware, in particular, is on the rise. SonicWall recently reported a 229% increase in ransomware attacks from 2017 to 2018. This includes high-profile cases like the SamSam attack that crippled the city of Atlanta as well as numerous smaller-scale incidents. Taken together, ransomware costs have spiraled into the billions, and are likely to grow further as threats become increasingly strategic, targeted and sophisticated.
If even a small percentage of victims pay the ransom, threat agents are strongly incentivized to continue to develop and deploy ransomware, and to target increasing numbers of organizations. And if it becomes widely known that one-third of companies would be willing to pay up, we can expect to see exponential growth in the number of attacks.
You Don’t Know If You’ll Get What You Pay For, Or What the True Cost Will Be
A few years ago, some experts advocated paying the ransoms demanded by cybercriminals, arguing that an “honor among thieves” mentality prevailed, and most would decrypt or relinquish or return control of your files once paid. Real-world data belies the wisdom of this approach, however. In a recent research report by the Cyber Edge group, only 19% of the victims who paid actually got their data back.
Some criminals never intended to return the data, while others—through ineptitude or poor coding skills—find themselves unable to fulfill their promises to decrypt the files.
There’s simply no way to be certain that paying a ransom will restore your data.
With so many attackers today demanding payment in Bitcoin or other new cryptocurrencies, and with the value of these digital assets fluctuating daily, it’s also incredibly difficult to estimate—in dollars—how much the ransom will actually cost.
While it is possible to estimate the cost of a data breach—the Ponemon Institute puts it at $148 per stolen record, for an average total of $3.86 million—predicting the impact of a future ransomware attack is more challenging. Real-world examples show that the costs can be extremely high, and that a single incident can cripple your business. Or even destroy it. This isn’t a risk worth taking.
A proactive approach is without question the best one.
Stay tuned for our next blog post, where we’ll discuss the most cost-effective ways to fight ransomware and data compromise, and how to stay proactive on a budget. Or contact Netswitch to learn more today.