HOME
NEWS

Evaluating Financial Aspects of Cybersecurity


By VARINDIA - 2023-10-31
Evaluating Financial Aspects of Cybersecurity

By Harish Kumar GS, Head of Sales, India and SAARC, Check Point Software Technologies

 

Despite its countless benefits, the internet can be a hostile place for business. As organizations continue to expand their digital footprints, moving workloads into the cloud and growing their network of devices, they leave themselves vulnerable to a rapidly evolving cyber threat landscape.

 

Gartner’s number one cybersecurity trend of 2022 was “attack surface expansion” – organizations increasing their digital presence to leverage new technologies and facilitate remote and hybrid working. As of 2023, almost 13% of full-time employees work from home, with over 28% working a hybrid model. At the same time, As per Check Point’s Threat Intelligence Report, in India, an organization is being attacked on average 2146 times per week in the last 6 months, compared to 1239 attacks per organization globally.

 

In this connected world, innovation breeds risk – and in order to capitalize on innovation in a financially responsible way, that risk needs to be carefully managed. The problem is that cyber threats are moving targets, with countless variables that can be difficult to quantify. That means the efficacy of any cybersecurity solutions is hard to measure. One of the pivotal metrics that has emerged in recent years is the “catch rate” of security solutions. But what exactly does this rate signify, and how does it translate to the broader financial landscape of an organization?

 

Demystifying catch rates

At its core, the catch rate of a security solution offers a quantifiable measure of its capacity to detect and deal with various cyberattacks. These rates are typically awarded by independent test labs, providing an unbiased assessment of a solution's performance. For instance, if a security solution boasts a catch rate of 95%, it signifies its efficacy in detecting and neutralizing 95% of all cyber threats during its testing phase. However, this also leaves a residual risk of 5% that organizations need to be aware of.

 

This 5% “exposure” may not seem significant at first glance, but the financial ramifications can be profound. By combining data from various sources, such as the IBM 2023 Cost of a Data Breach Report and insights from Check Point Research, the cost of residual risk becomes clearer.

 

Measuring exposure to risk

Let’s consider phishing as an example. The number of phishing attacks rose by 47% in 2023 alone, with the US and the UK the top two targeted countries, and research suggests that 90% of successful data breaches begin with a spear phishing attack. According to recent reports, phishing attacks have surged in India in 2023. Around 30 million individuals in India are susceptible to phishing attacks, with an estimated 500,000 individuals at risk of falling victim to scammers, as reported by Tanla Platforms.

 

Spear phishing is a targeted campaign where the attacker customizes the deceptive message to mirror a specific individual or organization, often using personal details to make the attack more convincing. While phishing casts a wide net to entrap any unsuspecting victim, spear phishing is aimed directly at a chosen target with a tailored lure.

 

Now consider an organization that faces 1,258 phishing attempts every week. With a 16% attack frequency, this amounts to 201 potential breaches. The average cost of a successful attack, as reported by IBM, currently stands at $4.76 million. If we factor in the click probability, which currently stands at 18% for trained employees and 35% for those untrained, the financial implications of the residual risk are huge.

 

We can calculate the probable cost of the remaining risk using the following sums:

 

Cost of customer risk per breach: Avg cost per breach * Remaining risk

Number of phishing events per week: (Attacks per week * Attack frequency) * Remaining risk

Probability of trained employee clicking on phishing event: Number of phishing events * Click probability

Cost of remaining risk per week: Cost of customer risk per breach * Probability of employee clicking on a link

 

If we apply these calculations to the typical scenario outline above, the difference in the “weekly cost of residual risk” for a 5% catch rate versus a 10% catch rate is stark: $431,000 versus $1.72 million. That means that extra 5% could cost an additional $1.3 million in terms of risk.

 

The importance of catch rates

Considering the cost of ‘risk’, organizations need to evaluate catch rates carefully when choosing cybersecurity solutions and partners. As with any financial investment, they need to measure their exposure to the market. In other words, how likely their cybersecurity solution is to fail, what it might cost, and whether those costs can be weathered. 

 

The problem is that catch rates have been typically downplayed. Perhaps that is because they are not understood by CIOs or CTOs, or perhaps it is because it is simply not in the best interests of cybersecurity vendors to disclose them. There is currently no legislation mandating that they need to be upfront about their solution’s catch rates, but organizations are always free to ask and listen carefully to the response.

 

Beyond the catch rates

While catch rates can be a crucial metric, cyber risk management is of course a multifaceted endeavor. It requires close communication between various stakeholders including employees, supply chain partners, banks, insurance companies, and even governments. Each entity in this ecosystem has a role to play, and their actions or inactions can have cascading effects.

 

Some of these stakeholders and variables are beyond the control of organizations. They can train their teams, choose their cybersecurity partners wisely (factoring in catch rate), and have the right insurance options in place, but they cannot control everything.

 

Additional steps that organizations can take to fortify their cyber defenses include:

 

● Embracing a Zero Trust Architecture: This approach operates on the principle of “mistrust by default”, ensuring rigorous verification for every access request, irrespective of its source.

 

● Optimizing Business Processes: By integrating security measures into their core processes, organizations can minimize vulnerabilities.

 

● Engaging with MSSPs: Managed Security Service Providers bring to the table specialized expertise and resources that can bolster an organization's security framework.

 

● Prioritizing Training: Employees can be a formidable first line of defense if adequately trained. Recognizing threats, especially in domains like phishing, can drastically curtail risks.

 

In Conclusion

Cybersecurity can feel like a chess game, with numerous variables in play. Metrics such as catch rates are important and offer valuable insights into the efficacy of a solution, but they are just one piece of a much larger puzzle. By using that measurement as part of a holistic approach to cyber risk management, organizations can not only safeguard their digital assets but also ensure their financial stability in the face of ever-evolving cyber threats.

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA