The Costs of Cyber Security in Prevention Vs Recovery

Cyber security breaches and cyber security resources that make IT systems less breachable have something in common: they both cost money. The difference is that the price for security that prevents a breach can be calculated up front, while the exact cost of recovering from a breach cannot.

Because overinvesting in resources is wasted money that weakens a company’s bottom line, many managers understandably wonder: does the cost of cyber security breaches justify the cost of cyber security measures that harden an IT system, making its inner workings harder for hackers to reach?

The Answer Depends on Who’s Asking

Considering the simplicity that it would bring to IT service agreements, it would be immensely helpful to third-party providers and their clients if cyber security and the breaches it prevents had respective, fixed costs, but they do not. Too many possibilities exist on the client end.

For example, in the instance of a data breach, Ponemon Institute reveals that, as of 2018, the “cost per compromised record” for a healthcare organization is $380, while the cost for a financial services provider is $336. If a national healthcare company has millions of records, while a local financial services firm has thousands of records, the cost of cyber security breaches that result in data theft is likely to be quite different between the two entities. The cost of cyber security that they need to halt theft is likely to be markedly incongruent, too.

There is, however, one thing on which cyber security providers and nearly all companies that have experienced a security breach can readily agree: recovering from a breach is more financially disruptive than the cyber security cost to a business that encounters a breach.

Breaches: More Financially Meddlesome than Prevention

Absorbing the cost of a breach is inherently more financially disruptive than paying for cyber security that prevents breaches. Regardless of what it entails, the cost of cyber security is calculated into the IT budget, but the cost of recovering from a security breach is not.

In fact, when you consider the many costs that could be contingent to whichever type of breach figures to be the costliest for your company — from fixing the IT problem that precipitated the breach, to loss of business, to reputation damage — estimating the price of recovery at the highest conceivable cost, which would probably overshoot the true cost, might be the only way to feel comfortably assured that you have budgeted to afford the breach.

This would obviously be an irrational way to designate your IT budget. At the same time, considering that no segment of companies, regardless of size or industry, enjoys a statistical reprieve from security breaches, not defraying the cost of cyber security breaches is also financially unreasonable. This logically leads to one conclusion.

Because cyber security prevents breaches, budgeting for the cost of cyber security is the most fiscally sound way to account for financial fallout a breach could bring. The unknown cost of recovering from breaches is supplanted by the known cost of circumventing them

Factors that Determine the Cost of Cyber Security

To determine the cyber security cost to a business for hardening its IT system against breaches, a security provider must perform an assessment of the business’ present needs. Here are the main factors for assessing the cost of the total solution the business requires:

  • Determined by security vulnerability assessments: the need to eliminate vulnerabilities in hardware, software, and/or IT procedures hackers could exploit with various attacks
  • Determined by an endpoint protection assessment: the need to protect network perimeter devices — such as desktops, laptops, and mobile — against unauthorized logins, and to eliminate vulnerabilities hackers could exploit with various attacks
  • Determined by a network security assessment: the need to implement or optimize firewalls, anti-malware applications and other tools for securing network data
  • Determined by a data storage assessment: whether data stored within physical servers, cloud servers, and other data repositories is properly encrypted; and whether data is sufficiently migrated to off-site storage to meet data redundancy needs
  • Determined by an access management assessment: whether accounts need stronger access control to prevent hackers from accessing data and launching various attacks
  • If the provider performs an ongoing service: the cost and frequency of the service charge, the possible cost differential between contractual and pay-as-you-go service charges, and any fees for initiation of service an/or contract renewal
  • If the provider performs an ongoing service that provisions deployment of IT staff to the client’s site: the window of guaranteed response time the client selects, if optional
  • Should the provider perform a one-time service: the base price and any related fees

The listed assessments examine inherent elements of an IT system that hackers probe for vulnerabilities, which allow them to breach the system: core hardware / software elements and their procedural operation, perimeter hardware, network security tools, data storage processes, and user accounts. The expense of resolving vulnerabilities and optional service implementation to prevent recurrences comprise the majority of the cost for cyber security.

Main Factors that Dictate Cost of Breach Recovery

As previously shown, when we hypothetically compared the cost of a data breach for a national healthcare organization to the cost for a local financial services firm — referring only to the “cost per compromised record” — the cost of cyber security breaches can vary greatly, depending on a company’s size and industry, as well as the nature and extent of the breach.

However, six factors dictate the cost of most security breaches, regardless of the company involved. In turn, the factors occur in response to the six most common security breaches:

  • Main Cost Factors
  • – Direct financial loss
  • – Disruption of business continuity
  • – Loss of brand value / reputation
  • – Loss of customers / clients
  • – Remediation for affected parties
  • – Legal costs
  • Most Common Breaches
  • – Malware
  • – Phishing
  • – Man-in-the-Middle (MITM)
  • – Distributed denial of service (DDoS)
  • – SQL injection
  • – Zero-day Exploit

The main cost factors are what you might expect. Their commonality is that they could befall any well-established business operation. But the main breach types seem to have a more specific shared trait. When you research them online, a revealing phrase routinely pops up, in reference to why they are perpetrated: “sensitive information”, or a closely related variant.

Considering that sensitive “data” is widely acknowledged to be the most valuable business asset, it doesn’t take much deductive sleuthing to conclude that data breaches are likely to be responsible for the cost of cyber security breaches that a majority of affected businesses incur.

Data Breaches: Scaling Prevention Vs Recovery

Ponemon Institute lists the average cost of a data breach in the U.S. at $7.91 million, and the average cost of deploying “[cyber] security automation” at $2.88 million. These are median numbers, not be taken as your company’s projection for data breach recovery, nor the cost of cyber security you would pay to avoid a data breach. But regardless of how you scale the differential, it shows that securing data costs far less than absorbing the cost of a data breach.

Contact NIC for a Cyber Security Assessment

The cost of cyber security may be less expensive than clawing your way back from a breach, but general observations mean nothing to your IT budget. You need a precise estimate for resolving vulnerabilities that leave you exposed. NIC has the security expertise to assess where you stand. We can also provide the solutions you need to stand strong in the face of threat. For an in-depth review of your security, contact us to request a free consultation.

Providing solutions to fit your organization’s IT needs

IT Partner