Balancing defensive security costs against risks and potential losses

Download the full whitepaper here: https://www.nccgroup.trust/uk/our-research/the-economics-of-defensive-security/  

The idea of implementing cyber security defences is now expected as standard across industries. But a question often remains over how strong these measures should be, and the concern is often a financial one – whether the costs of cyber security outweighs the potential risks.

While there is a strong school of thought which would argue that security is an indispensable necessary cost, some claim that the costs of a breach are exaggerated, or that the cost of cyber defences may exceed the cost of a breach.

Often, there is no option but to implement robust and extensive cyber defences. For example, in the healthcare, defence and financial industries, legislation and different types of regulations often demand a higher standard of cyber security than in other sectors.

It’s also important to take into account that the cost of a data breach often isn’t just financial. It can also cause irreparable reputational damage, or, within industries such as defence or healthcare, can compromise a nation’s defences or affect individual patients.  

However, our analysis of cyber security costs against the average cost of a data breach has demonstrated the point at which a lack of cyber security can pose an economic risk.

How high is the risk of a data breach?

Businesses are only becoming more at risk of breaches as time goes on. Figures for UK breaches between Q1 2016 and Q1 2017 show a clear rise in reported breaches. Over the same period, according to ID Theft Centre, data breaches were up 40% worldwide, with 1091 reported breaches in 2016 compared to 780 in 2015.

Our analysis also shows that the likelihood of a data breach also varies across sectors. Perhaps unsurprisingly, local and central government organisations and utilities businesses are most likely to become a victim of a data breach, based on data from between 2016 and 2017. Marketing businesses faced the lowest number of data breaches over the same period, with just one breach reported across 25,000 businesses.

According to Ponemon research, the costs for a single breached record also varies across sectors, with healthcare breaches costing the most per breached record.

The average cost of a data breach also varies according to the number of records held by a business. Through analysis of Ponemon figures again, it can be seen that typically, the more records held by a business, the higher the risk of a data breach.

Using Cisco’s model for breach costs as equal to 20% of revenue, it can also be argued that businesses with a higher turnover typically experience a higher average loss.

Where is robust cyber security most important?

Our analysis of the cost of cyber security breaches against the average cost of implementing cyber security defences demonstrates a theoretical a cut-off point where the average theoretical cost of a single breach exceeds the cost of the first year’s defence implementation between 5,000 and 6,000 records. Any organisation possessing 6,000 records or more could be viewed as taking a risk of monetary losses if inadequate defences are implemented.

However, what this analysis shows is that there is an ever-increasing risk of data breaches to businesses. With the amount of sensitive data held by organisations only increasing in size, and with GDPR coming into force next month, securing sensitive data is becoming all the more important. It’s also important to note that this cut-off point is based on theoretical costs – and an attempt to gamble with the likelihood and cost in this way may have far more serious consequences than expected. 

Download the full whitepaper here: https://www.nccgroup.trust/uk/our-research/the-economics-of-defensive-security/

Published date:  01 May 2018

Written by:  Nick Dunn

comments powered by Disqus

Filter By Service

Filter By Date