What’s Your Cybersecurity Investment ROI?
Lack of financing in the security department causes enormous monetary losses due to data leaks, breaches, and other security incidents. Businesses need to spend money on security — but how can you justify these security expenses to the management to get their buy-in? And how much budget can you allocate? In this article, we go through the numbers and the formula for calculating the ROI of security investments for your own company.
The goal of any business is to make money — cover the expenses and bring in the profits.
It can be difficult to see returns on your investment in cybersecurity when you are not a security professional with a deep understanding of the cybersecurity landscape.
The real ROI of security appears to be intangible or very hard to estimate. So how do you convey security investments into the language of profits and losses? We will debunk this statement later but bear with us for now.
The positive and negative value of security
The so-called negative value of security — the version of security where your business is safe from threats — makes the efforts and funds spent look like sunk costs.
The actual cost of good security becomes apparent during data leaks and security breaches when companies end up losing much more money to mitigate the incident than they would have paid for constant security monitoring.
Validating the investment
The number of companies affected by cyber-attacks increases each year as criminals dodge and weave to avoid detection. This is especially a pressing issue today, with many people working from home on a BYOD (bring your own device) basis. 2020 also brought in a 74% increase in never-before-seen malware, a 67% increase in malicious MS Office files, and 66% increase in IoT malware attempts. And what do the numbers say about the actual losses caused by the lack of proper security?
According to the McAfee 2020 Threats report, of 1500 companies interviewed, only 4% claimed to have experienced no cyber incidents within the last year. The overall monetary losses caused by data breaches amounted to $945 billion. The total expenses on cybersecurity were predictably much smaller: $145 billion.
Humans are easier to hack than machines so phishing tops the list of the current most popular security incidents:
- 74% of polled US companies experienced a successful phishing attack in 2020, according to the 2021 Report on Phishing Attacks.
- Phishing was also the cause of 22% of all breaches, according to Verizon’s 2020 Data Breach Executive Summary report.
Download a free ebook to learn how to Protect Yourself and Your Company from Phishing for free.
Malicious encryption software comes second after phishing:
- Ransomware accounts for 23% of attacks, according to IBM.
- Security Magazine reports that ransomware increased by 62% globally in 2020 (158% increase in the USA!).
Indirect losses caused by security incidents
In addition to direct monetary losses, there is also the non-monetary cost of security incidents. It includes decreased morale, lost productivity, and wasted working hours after a security incident.
Brands affected by security incidents risk losing the trust of their customers. They are forced to spend much more on post-incident mitigation with the help of PR and marketing departments than they’d need to spend to hire a Managed Detection and Response (MDR, a type of computer-managed security service) company to nip those issues at the bud. Facebook might have recovered from the Cambridge Analytica scandal, but what about all the Gen Z representatives leaving the platform for good, for privacy reasons?
Other non-obvious and seldom talked about costs and losses associated with security incidents are:
- Cost of economic espionage. The indirect impact of security breaches is hardly ever factored into the evaluation.
- Cost of lost opportunity. Colonial Pipeline paid a $5 million ransom, but what about the total cost to the economy from raised gas prices and missed opportunities?
- Cost of data privacy and compliance breaches. Fines and lawsuits arising from failing to comply with security regulations can result in billions of dollars in losses.
- Cost of theft and exposure of business information. Imagine the effects on your business if a customer database, content plans, budgeting, and strategic information were to leak out to a competitor.
- Cost of system downtime. Service unavailability during the breach, forensics, and mitigation may result in more significant losses than the data theft itself.
- Cost of remediation. A breach’s investigation and remediation typically require considerable resources, especially if security was overlooked or underfunded before the incident.
To prevent future attacks, companies eventually end up investing in security services and training after paying the hefty ransom and fines. This shows just how important prevention really is! Companies that take preventative measures against potential threats will end up saving themselves time and money down the road. There’s nothing worse than getting hit with an expensive ransom fee and fines that could have been prevented. Let’s get to the actual calculations now.
Calculating the cost of a breach and the ROSI
How to calculate ROI and justify your cybersecurity budget? At first sight, the ROI on security (or ROSI — Return on Security Investment) doesn’t seem possible to put into exact numbers. However, it’s possible to make an accurate estimation and base the calculation on it. And we will guide you through this process shortly.
We’ve used the average numbers for the calculations, but you can input your data and calculate the ROSI for your business.
Please also note that this formula is only provided for a single attack and its effects. Multiple attacks have a multiplier effect, and security expert Bruce Schneier created a formula to calculate that. Still, it’s out of the scope of this article and spells out much more significant losses for the affected businesses.
The formula for calculating ROSI
The formula to calculate the return on security investment is derived from this standard ROI calculation:
ROI (%) = [ (GI – CI) / CI ] × 100
Here GI is the Gain from Investment and CI is the Cost of the Investment.
There are a couple of approaches you can take to apply this formula:
- Use GI as the cost of a cyber-attack when little to no security measures are in place. And use CI as the cost of cybersecurity solution like an MDR service.
- Alternatively, start with the assumption that you need cybersecurity, and then compare the GI as the cost to execute in-house against the CI of costs to outsource to an MDR.
For this article, we’ll use approach #1.
For the sake of having the initial data to work with, we’ll have to make a few rather bold assumptions and use the industry average numbers. But, don’t worry; we’ll adjust the numbers at the end. Remember that you can run the same formula using your numbers to get the most accurate results for your business.
Assumption #1. Phishing is your only worry
Obviously, this is not entirely true. According to the statistics above, as much as 22% of all your exposure could come from phishing scams. Plus, ransomware is becoming a more formidable threat than phishing alone.
Assumption #2. A phishing attack on the business has a 74% chance of success.
As we’ve found out in the previous section, an average business with limited protection has a 74% chance of being hit by a successful phishing attack. The extent of your vulnerability may vary. Security staff onboarding and training usually result in a drop in numbers.
Assumption #3. An MDR solution reduces risk by 97%.
We assume that a managed security service taking care of the security in your company almost eliminates the chances of a successful attack. So to be fair, we will add this 3% risk of a cyberattack to the cost of MDR service in our calculation.
Coming up with numbers
According to a study held in 2018, 71% of the US companies that participated in the research admitted to undergoing at least one data breach within the last few years, and 46% reported that within the previous 12 months, they experienced at least one security incident. So, we will be calculating the cost per year, with one security incident.
Depending on your industry and which study you read, data breaches can cost an enterprise anywhere between $1 million to $8 million. To get our baseline number for further calculations, we took the cost of mitigating security based on the studies by the Ponemon Institute: $3 million impact per incident without MDR (average breach costs a company $3.92 million).
If this number seems too high now, remember that we’re still talking about averages and generalizations. The actual cost of a security incident, even for an SME, can be much higher if we consider the fines for customer privacy-related breaches that violate GDPR, CCTA, HIPAA, or other major privacy regulations.
Let’s get to work with the numbers and our formula now:
ROSI (%) = [ (GI – CI) / CI ] × 100
- No solution can claim 100% protection, so with the presumed 97% effectiveness of using an MDR service, we end up with a $90,000 impact with MDR (3 million x 0.03).
- The cost of MDR services can vary quite a bit depending on business size, users, network throughput, etc., but for our calculation, we will use an average price of $230,000. As a result:
Cost of cyber-attack (GI): $3,000,000 x .74 = $2,220,000
Total cost with MDR (CI): $230,000 +$ 90,000 = $320,000
Smaller businesses have a smaller risk footprint and generally lower MDR costs. As a result, the ROSI should hold true for different business sizes. Very large businesses would look at transitioning to an in-house “build” model as the cost reaches $2-3 million.
ROSI (%) = [ (GI – CI) / CI ] × 100
ROSI (%) = (2,220,000 – 320,000) / 320,000 x 100 = 594% ROSI
Even halving the financial risk produces a 297% ROSI – which is an excellent ROSI despite our very conservative predictions.
Here we’ve only considered one breach, but we could scale this up if we tried to calculate the Annual Loss Expectancy (ALE) and assumed that at least one breach would be happening per quarter. The cost of proper security would still be calculated according to the same formula, saving you twice the money. If your company has a track record of security incidents, you can calculate your security-related ALE and compare it to the expenses on security.
A different approach to calculating the ROSI was taken in this article. Their formula yielded an 1140% security ROI — use this information to show your managers as they work on the budget.
A security budget allocated correctly brings enormous returns on investment. The best part — you don’t need to hire and train an on-site security team to secure your organization. You can hire an external MDR provider like DruvStar. DruvStar’s Managed Detection and Response service protects your business with a security operations center of highly skilled people utilizing AI and industry-leading tools to constantly safeguard every facet of your IT infrastructure across every environment.
With your own risk assessment model, you can estimate the chances of being breached by a cyber-attack and then assign a cost to each of the items in the formula. The calculation enables you to arrive at an acceptable price with your MDR provider — the one that aligns with your risk assessment and exposure footprint.
One of the most valuable investments a small or medium-sized business can make is in a MDR service. You gain the benefit of having a dedicated and experienced security team without having to hire and train an in-house security team with could end up costing you more.
How DruvStar Can Help
Our MDR service provides several important features that go beyond the scope of many standard MDR solutions, including:
- 24/7 monitoring by a team of dedicated security experts
- incident response and escalation in line with the NIST cybersecurity standard
- vulnerability management to help uncover configuration and credential exposure risks that endanger your digital assets and sensitive data
- comprehensive visibility through unlimited log access and event data
- cloud monitoring to identify cloud risks and simply cloud security
- SIEM technology is included, which essentially makes it two solutions in one
- compliance reporting capabilities
Contact us today to learn more about how we can help your business improve its information security posture.