Pervasive and costly cyber attacks are the new normal for all businesses. According to the IBM Cost of a Data Breach Report 2023, 83% of surveyed organizations had experienced more than one data breach.
In this new reality, organizations are recognizing that minimizing breach damage is just as important as breach prevention. As a result, security leaders and the senior leadership team that holds buying authority are looking at cybersecurity investments through new and sometimes conflicting lenses.
Security leaders, focused on defense-in-depth strategy, continuously seek solutions to wrangle their organization’s ever-evolving attack surface, and vet technical solutions accordingly. On the other hand, business-focused stakeholders, conscious of mounting cybersecurity investments, are using new criteria to approve or authorize security purchases.
The recent Change Healthcare ransomware attack is an extreme example of the polarity of cybersecurity investments and their ultimate value, particularly when factoring in breach costs.
With more than $3 billion in revenue, Change Healthcare is one of the nation’s largest healthcare payment management providers. The company handles billions of transactions and sensitive patient data across the U.S. healthcare system. Undoubtedly, Change Healthcare would employ a comprehensive cybersecurity tech stack to guard against threats and have an expansive team of security professionals to manage it.
Yet the Change Healthcare breach is projected to be one of the most damaging ransomware attacks on the U.S. healthcare industry with a confirmed $22 million ransomware payment and a recovery bill projected to cost more than $1 billion.
Ransomware attacks are complex, but they’re often initiated using rudimentary or low-tech techniques. In the case of the Change Healthcare attack, it’s been reported that compromised credentials allowed attackers to remotely access a Change Healthcare Citrix portal that wasn’t protected by multi-factor authentication (MFA).
Despite millions of dollars in cybersecurity tools and resource investments, basic attack techniques are leading to expensive incidents.
Justifying New Cybersecurity
Investments for Breach Prevention
Ensuring and maintaining a robust defense-in-depth strategy requires staying ahead with new technology investments, especially given the rising sophistication of attackers and the ineffectiveness of many standard detection and response tools against ransomware and the rudimentary techniques that they’re using for primary access.
For most organizations, cybersecurity leaders must navigate the reality of limited resources and budgets. Now, not only do they need to justify the security benefits of new technologies but also demonstrate a positive return on security investment (ROSI) for these investments for their business-focused stakeholders.
According to Gartner, IT budgets are increasing, with software spending projected to grow by 13.7% and IT services spending expected to rise by 8.8% in 2024.
Yet, while budgets grow, the purchasing process is changing. For example, today’s security leaders face new purchasing barriers that go beyond technical vetting and require making a business case, which justifies the spending while defining the likelihood of a breach event occurring.
The IBM Cost of a Data Breach Report 2023 revealed that the average cost of a data breach across all industries soared to $4.45 million — a paltry figure when compared to Change Healthcare breach costs, but still a figure that can be business-altering or worse, business-ending for most organizations.
However, the U.S. average cost of breach is significantly higher at $9.48 million. Recovery costs vary widely and include service disruptions, system downtime, financial losses, compliance penalties and legal fees.
Despite clear risks and real-world headlines, stakeholders with a business-oriented mindset may remain skeptical of generalized breach probabilities, as they may not accurately reflect their organization’s specific risk profile. Metrics and standardized tools offer a quantitative means to evaluate the investment in new technologies while aligning it with anticipated risks.
Applying Annual Loss
Expectancy to Quantify Risk
Annual Loss Expectancy (ALE) is actively used in risk assessments and is gaining traction in cybersecurity investment decision-making. ALE quantifies the potential financial ramifications of security investments over a defined timeframe.
ALE is a methodology that aids in the identification and prioritization of security threats by assigning a tangible monetary value to anticipate the annual costs associated with specific security breaches. It helps security leaders build a robust business case around potential technology investments, especially when there may be a perceived overlap or redundancy in existing technologies or investments.
This post was originally published on 3rd party site mentioned in the title of this site
