Cybercrime pays. In the 2019 study Securing the Digital Economy: Reinventing the Internet for Trust, Accenture claimed that “in the private sector, over the next five years companies risk losing an estimated US$5.2 trillion in value creation opportunities from the digital economy…to cybersecurity attacks.” While the paper did not provide an estimate for how much cybercriminals might gain from their illicit activities, it’s easy to presume that the amount is substantial, considering how colossal $5.2 trillion is.
Additionally, in its Ninth Annual Cost of Cybercrime Study, Accenture claimed that the average cyberattack could make a business lose nearly $10 million dollars due to information loss and business disruptions. Clearly, there’s an incentive to spend on cybersecurity solutions, but how would you know that you’re getting what you pay for?
The problem with the iterative approach
When it comes to cybersecurity strategy, taking on solution after solution as threats emerge works only in the short term. In time, this iterative approach makes your cyber defenses increasingly harder to manage. This is because you’ll have too many tools raising too many alarms and sending you too many bills.
What you need is a structured risk management framework
To get the full value of your cybersecurity solutions, you need to take a step back and reassess your entire strategy. Recenter it on two primary costs, namely how much your business stands to lose (in terms of information loss and business disruptions) and how much it would cost to mitigate the damages a cyberattack would cause. In short, cybersecurity spending becomes a function of risk management.
Viewing cybersecurity in this manner means quantifying risks in terms of monetary loss and the probability of them happening, then prioritizing accordingly. For instance, if your company handles protected health information (PHI), you need to dedicate substantial resources to protect this. This is because:
- HIPAA mandates that you 1) secure PHI so that only authorized parties could access this and 2) ensure its availability since such information may be pertinent to quality of life or may even be life-saving. Breaking HIPAA rules could mean paying heavy fines.
- Lost or compromised PHI could make your company liable for damages.
- Botching cybersecurity efforts for PHI could mean lost goodwill and a tarnished reputation.
- Losing electronic PHI that doesn’t have any digital backups would mean having to go back to using paper records, which is time-consuming and cost-inefficient.
- Employees and third-party partners may mishandle PHI.
- Healthcare providers have increasingly been targeted by cybercriminals.
Determine the ROI of your cybersecurity solutions
Return on investment is simply the ratio between the benefit you derived from an investment and how much it cost you to make that investment. However, applying the concept of ROI to cybersecurity solutions is not so simple because the benefit derived from cybersecurity is not strictly a gain but rather the reduced probability of loss.
Let’s visualize with a Cartesian graph. Normally, as the amount you stand to lose increases (this is plotted on the X-axis), the probability of losing that amount decreases (this is plotted on the Y-axis). For instance, in a population of 1,000 people who own both a cell phone and a car, there would be more people who accidentally drop their phones than there are victims of car theft.
Different types of cybersecurity risks can be plotted graphically in the same way. For example, you might be more prone to ransomware attacks that only cost you a few Bitcoins. Compared to this, the risk of losing proprietary intellectual property to corporate espionage may be lower, but this will sink R&D costs and may also make you lose future earnings if rivals arrive to market with your product first.
“In the private sector, over the next five years companies risk losing an estimated US$5.2 trillion in value creation opportunities from the digital economy — almost the size of the economies of France, Italy, and Spain combined — to cybersecurity attacks.” — Accenture
However, beyond the benefit of reduced probability of loss is your risk tolerance. To illustrate, a person can save up to replace the cracked touchscreen of the phone they dropped and have it repaired immediately. Therefore, it’s easier to take on the risk of dropping your phone instead of paying extended insurance for it, especially if you factor in the hassle involved in encashing the policy. But when it comes to your car, it’s much harder to replace it with your own funds. This is why you’ll want to pay your insurance premiums and pass the risk to your insurance provider.
With regard to cybersecurity solutions, determining their ROI means looking at how much they decrease the probabilities of losing productivity and having to spend on data recovery efforts, regulatory fines, and other costs, especially if your company couldn’t bear such costs.
To illustrate, Graphus’s cloud email security solutions protect against phishing. According to the 2019 Data Breach Investigations Report by Verizon, phishing is the leading cause of data breaches globally, and this type of cyberattack costs mid-sized companies a whopping $1.6 million on average to handle. In short, our products address a problem with a high probability of occurrence and can cost businesses dearly as well.
To help you figure out the ROI of our products, consult with our experts and try our solutions for FREE for 14 days!