2021 has been a big year for cybersecurity; not only are attacks like ransomware and DDoS on the rise, the cost of cyberattacks to businesses is the highest it’s been since IBM began tracking it in their annual Cost of a Data Breach report. With alarming new attack trends and companies revamping their security to adapt to accelerated digital transformation, cybersecurity is becoming more important than ever.
But even though many teams have increased their security budgets in the past year, many still feel underprepared for cyberattacks. If you’re wondering whether it’s worth it to increase your security spending, the answer is yes. The costs of a cyberattack not only include direct costs like regulatory fines and legal fees, but below the surface costs like lost contract revenue due to reputation damage. As a result, investing in cybersecurity proactively can prevent costly damages down the road. This post will discuss why many teams are increasing cybersecurity, the costs of a cyberattack, and the best way to enhance security to adapt to the new threat landscape.
2021 Cyberattack and Cybersecurity Trends
According to IDG’s 2021 Security Priorities study, 90% of security IT leaders believe they are not prepared for today’s cybersecurity risks. The report states that, “The explosion of ransomware, zero-day attacks, third-party breaches, along with long-term remote work concerns and the integration of operational technology with IT systems have culminated into a crisis of confidence for IT security leaders.” In other words, 2021’s rapid digital transformation has created significant challenges for security teams, between new attack trends and updating their security policies to accommodate remote work and increased traffic to online retail, digital education, and telehealth platforms, as well as other ongoing changes like commercial 5G rollout.
As a result of these trends, many cybersecurity teams are increasing their budgets. IDG’s report states that SMBs are planning to double their security budgets from $5.5 to $11 million in the coming year and enterprises will budget an annual $123 million on security. However, just as security budgets are rising, so are the costs of cyberattacks to businesses. IBM’s 2021 Cost of a Data Breach report revealed that not only is this year’s global average cost of a data breach, $4.24 million, the highest it has been in the 17-year history of the report, but the average cost of a cyberattack also increased by 10% in the past year, the largest year over year increase in 10 years. In fact, cybercrime is now estimated to cost organizations worldwide a total of $1.79 million every minute, according to Infosec Magazine.
But why are these costs so high? When breaking down the average cost of a cyberattack, it’s important to consider not only on-the-surface costs, but the long-term impact of below-the-surface impacts of an attack, such as reputation damage, which can impact customer contract values and result in missed opportunities long after attacks have been mitigated.
Breaking Down the Cost of a Cyberattack
On the Surface Costs
When most companies think about the cost of a cyberattack, they consider the direct costs the attack generates, such as increased resource use (e.g. bandwidth and compute) from DDoS attacks or brute force attacks, as well as the amount it costs to mitigate and recover from the attack, such as regulatory penalties and legal fees for leaked or stolen data. One way to break down these costs is to consider what is incurred at each stage of the process: detection and mitigation, notification, and recovery.
- Detection and mitigation: Crisis management, loss of business continuity due to malware or service interruption, wasted resources, ransomware payments
- Notification: Communicating with customers and other stakeholders, and engagement of outside experts to assess regulatory violations
- Recovery: Paying regulatory penalties and legal costs, issuing new accounts, product discounts
In addition to the direct costs of a cyberattack, businesses should be aware of the hidden costs of a cyberattack lurking below the surface. As noted in a Deloitte report, this is because discussions about attacks “tend to focus on costs related to customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties,” but that these only represented less than five percent of the total financial impact. Some of the “hidden costs” that Deloitte noted that composed the bulk of costs to companies included:
- Insurance premium increases
- Increased cost to raise debt
- Value of lost contract revenue
- Devaluation of trade name
- Loss of IP
- Lost value of customer relationships
When taken together, these outcomes can have a huge impact on a company’s bottom line that can be hard to recover from. As a result, proactively planning to avoid cybersecurity is a must. But although investing in cybersecurity is crucial, for small businesses and companies that are already battling tight budgets while recovering from the pandemic, the cost of doing so requires strategic planning and a clear understanding of which cybersecurity initiatives will have the greatest impact on avoiding attacks.
How to Avoid Costly Cyberattacks
In 2021, Cisco interviewed 4,800 cybersecurity professionals from over 25 global companies to determine which security practices have the biggest impact on their organization’s ability to defend against cyber threats. Overall, their report found that the strongest correlation between a company’s cybersecurity practices and its ability to achieve its security objectives was “a proactive, best-in-breed tech refresh”: the frequency with which key technological components were updated in order to ensure high performance.
Another factor that has a big impact on the efficacy of cybersecurity policies is the implementation of zero-trust security. Zero trust, which was introduced in 2010 by Forrester Research, replaces legacy security models that are based around keeping threats out of a secure corporate perimeter, which has been made largely irrelevant as a result of remote work, cloud and edge infrastructure, and widespread use of APIs. Instead, zero trust limits the damage attackers can wreak on a system by narrowing permissions, giving users the least possible permissions needed to perform their necessary tasks.
As a result, zero trust helps to not only adapt security policies for today’s digital landscape, but also limits the risk of insider threats and user error, which according to Verizon’s 2021 Data Breach Incident Report, is one of the biggest threats to cybersecurity; in 2021, the top three incident types amongst cloud users were stolen credentials, misconfigurations, and phishing. And now that companies are beginning to implement zero trust, they are seeing positive results, with IBM’s Cost of a Data Breach report revealing that cyberattacks cost companies with mature zero trust security $1.76 million less on average than companies without zero trust in place.
Proactively investing in cybersecurity can pay off huge dividends down the road by avoiding these expensive cyberattacks and improving your users’ trust. Azion’s integrated security stack can help companies improve their security posture by crafting zero-trust security policies and working with our Security Response Team to craft incident response plans that will help them before, during, and after an attack. To find out how Azion can improve your company’s security, contact our sales department or sign up for a free account and start using Edge Firewall today.