Channel Futures Recognizes Pendello Solutions as Top 501 ...
As organizational leaders finalize their budgets for 2022, cybersecurity costs are top of mind, especially ransomware costs. As attacks grow increasingly frequent and sophisticated, the price of mitigating an incident is rising rapidly. In 2021, the average ransomware payment rose to $570,000, compared with $312,000 in 2020. Of course, there’s more to recovering from a ransomware attack than paying the ransom – a lot more – which is why total recovery costs hit a cool $1.85 million this year, more than double the 2020 average of $761,106.
It’s far less expensive to prevent a ransomware attack than to recover from one, but how much is too much to spend? How much is too little? How should organizations allocate their security dollars, and how can they ensure they’re spending their money effectively? Let’s cut through the noise – and security vendors’ marketing hype – and examine how organizations can optimize their cybersecurity spending while ensuring adequate protection.
Traditionally, many organizations have devoted a particular dollar amount or a budgetary percentage to cybersecurity without fully understanding what it is they need to protect and how well it’s currently protected. Often, they’ll follow generalized recommendations or base their budgets on what others in their industry are spending. This leads to wasteful spending in some areas and underinvestment in others.
Using a quantitative budgeting process helps organizations avoid guesswork, determine which security tools are essential, and understand how much they should be spending to protect each asset. Additionally, a quantitative process helps security professionals correctly translate security risks into business risks and demonstrate how cyber risks impact the organization as a whole – which are crucial to getting buy-in from non-technical stakeholders.
For the moment, forget about dollars and percentages. Perform a complete IT asset inventory, including both tangible and intangible assets, and categorize each asset according to its sensitivity and its importance to the functioning of the business. Asset classification can be done in a number of ways. Many organizations classify data assets according to how sensitive the information is, such as public, internal, restricted, and highly confidential.
With your asset inventory in hand, you can determine your organization’s cybersecurity posture or how well your organization’s assets are currently protected.
Cybersecurity is all about reducing risk, which is why the second step in the budgeting process is to determine your organization’s risk appetite. This collaborative endeavor involves the entire executive management team and other key stakeholders. The company’s leadership must consider multiple factors, including its existing risk profile, risk capacity, risk tolerance, and organizational attitudes towards risk and returns.
Finally, it’s time to start thinking about dollars and percentages. An organization’s cybersecurity budget should be aligned with how much the organization stands to lose after a cyberattack and how much risk the organization is willing to take.
Setting up KPIs enables organizations to quantitatively measure the effectiveness and value of their cybersecurity investments and demonstrate their value to company leadership. While there is no authoritative list, common security KPIs include the number of intrusion attempts over a specified period, the meantime to detect (MTTD) a potential security incident, and the average cost per security incident.
Don’t base your organization’s security spending on what other companies in your industry are doing. You’re securing your organization, not theirs. Your company’s asset inventory and risk profile could be wildly different – not to mention, your competitors may not have used a quantitative process to come up with their security budgets!
Don’t think that spending gobs of money on the latest and greatest security tools will make your organization impenetrable. There are many solid products on the market that can significantly reduce your cyber risks, but that’s all any product can do: Reduce risk. There is no such thing as eliminating it completely, which is why determining your organization’s risk appetite is a critical part of the budgeting process.
On a similar note, before purchasing any security solution, be sure you have the in-house expertise and resources to devote to it. The best security products on the market are only as good as the humans who configure and monitor them.
Cyber insurance is a sound investment to mitigate the costs of a cyberattack. However, primarily due to the stratospheric rise in ransomware costs, cyber liability premiums have spiked as much as 300%. Insurance companies have also started imposing “sub-limits” and co-insurance provisions on ransomware incidents, tightening underwriting guidelines, and imposing coverage limits on industry sectors at high risk for ransomware, including manufacturing, education, healthcare, and public sector organizations.
Bottom line: Insurers are making organizations shoulder far more of the risk of a ransomware attack than they did in years past. Instead of depending on cyber insurance, invest in proactive measures to prevent ransomware attacks from happening in the first place, such as:
For additional help deciphering how much and what your business should invest in regarding cybersecurity, reach out to your Pendello Solutions team today. Let us help you filter through the tools and jargon to determine what will indeed be effective for your organization.