Ponemon study shows that 82% of attack costs go toward detection, containment, recovery, and remediation.
For many cyber security professionals, one of the biggest challenges they face isn't stopping the next cyberattack, it's proving the value of something that didn't happen. A new report from the Ponemon Institute may finally give them the data they need to show that what they do is saving the organization money.
According to the study, The Economic Value of Prevention in the Cybersecurity Lifecycle, which was sponsored by Deep Instinct, a company that uses neural networks to prevent cyber attacks, the economic value of preventing a cyberattack ranges from $396,000 to $1.37 million, depending on the type of attack.
SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)
"For example," the study said,"the average total cost of a phishing attack is $832,500 and of that 82 percent is spent on detection, containment, recovery, and remediation. Respondents estimate 18% is spent on prevention. Thus, if the attack is prevented the total cost saved would be $682,650 (82 percent of $832,500)."
Even though these cost savings are substantial, only 24% of cybersecurity teams are focused on prevention. Instead, they spend the majority of their time on threat detection, containment, and mitigation. And, even though 70% of respondents said that prevention is a better strategy than remediation, only 21% of cybersecurity budgets, on average, are allocated to that task.
This may be because 80% respondents said that prevention is difficult to achieve because of three factors: it takes too long to identify threats before they become attacks (63%); existing technology is not up to the task; and they lack the in-house expertise they need to prevent attacks. Also, 55% of respondents said they can contain attacks when they occur.
SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)
Half of respondents said their organizations are not making the correct investments to protect themselves from a cyber attack, and only 40% said they have enough budget to achieve a strong cybersecurity posture. The study found that the average IT budget is $94.3 million and 14% of that, or $13 million, is devoted to cyber security.
"People in security are in a tough position," said Steve Salinas, head of Product Marketing at Deep Instinct. "Half of respondents don't think that their spending adds the value it should. That's pretty concerning. This is an audience that is looking to solve these problems with better prevention."
Over the next two years, 54% said they will be increasing their cybersecurity spend, 23% plan no changes, and 23% are planning to decrease spending.
According to the survey, the most common attacks facing organizations today are, in order of prevalence, phishing (47%), DNS-based attacks (40%), electronic agents like viruses and bots (35%), DDoS (34%), and ransomware (32%).
SEE: Brute force and dictionary attacks: A cheat sheet (free PDF) (TechRepublic)
The number one cause of attacks is a negligent employee or other insider. This is followed closely by third-party errors and insecure endpoints.
At $1.5 million, nation-state attacks were found to be the costliest attacks to respond to. Preventing these types of attacks could save an average of $1.4 million per attack. Zero-day attacks, where vulnerabilities in software or firmware are exploited by hackers before they are commonly known or a patch is available, cost, on average, $1.2 million. If prevented, it could save the organization $1.1 million.
"This study shows that the majority of companies are more effective at containing cyberattacks after they happen because it is perceived to be more accountable," said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. "This explains why cybersecurity budgets focus on containing attacks rather than preventing them, as well as the increased rate of breaches despite investments in cybersecurity solutions."
About the study
The web-based study surveyed more than 600 IT and IT security practitioners. Most said they are responsible for maintaining and implementing security technologies, conducting assessments, leading security teams and testing controls. The Ponemon Institute said that the accuracy of the findings is based on contact information and the degree to which the list is representative of individuals who are knowledgeable about their organizations' cybersecurity technologies and processes.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)