Skip to main content

Adopting a cost-benefit analysis approach to cybersecurity

(Image credit: Shutterstock / Golden Sikorka)

Cybersecurity is a volatile, complex arena. The digital landscape has never been more hostile, and recent changes to the way we work have introduced risks that all organizations need to understand and deal with.

The working world has evolved rapidly since March 2020, and technology has been instrumental in facilitating our new hybrid working lives. But as our working patterns have changed, hackers have seized the opportunity to target us with increasingly sophisticated and damaging cyberattacks.

IT Managers recognize that they need to adapt their cybersecurity postures to protect their organizations, and that this involves investment. However, board buy-in for this investment can be difficult to obtain if board members see cybersecurity as an avoidable cost they can afford to avoid.

If this resonates with you, a cost-benefit analysis approach to cybersecurity may well be the best way to get your board on-board. In this article we’ll take a look at the key cybersecurity threats facing organizations in 2021, and explain how a cost-benefit analysis approach is the best way for IT Managers to get the investment they need to address them.

Key cybersecurity threats in 2021 

The massive increase in remote working we’ve experienced in the past 18 months has not gone unnoticed by hackers, who have evolved their tactics to take advantage of increased attack surfaces as users have been forced to work from outside their secure corporate networks. Amongst the cyberthreats we face, three reign supreme – phishing, ransomware, and business email compromise attacks:

Phishing emails are sent by hackers, and they pretend to be from someone the recipient trusts like their bank or a colleague. Their goal is to convince the victim to do something which the hacker can use to their advantage, such as click on a link to a malicious website or provide login and other personal details. Phishing emails are one of the main methods hackers use to deploy ransomware and business email compromise attacks.

Business email compromise attacks target employees within an organization by sending emails that fraudulently mimic senior colleagues or trusted clients. The emails use social engineering techniques to issue illicit instructions, such as approving payments to hackers’ bank accounts or releasing confidential client data that can be leaked on the Dark Web.

Ransomware’s primary aim is to extort money from organizations and individuals who are infected. It achieves this by encrypting files that are connected to affected machines, rendering them unusable, and then threatening to leak stolen confidential information onto the public internet. Once files have been encrypted, the user is notified and asked to pay money, typically in cryptocurrency, in order to obtain a key that will unencrypt the files.

In order to protect your organization from these malicious threats, you will need to make sound cyber-investments that will minimize risk as far as possible. Let’s take a look at how you can get buy-in for these investments.

A cost-benefit analysis approach to cybersecurity 

A cost-benefit analysis is a method used to evaluate a project by comparing its losses and gains — essentially a quantified and qualified list of pros and cons. Undertaking a cost-benefit analysis is a great way to assess projects, because it reduces the evaluation complexity to a single figure. As you can imagine, this makes a cost-benefit analysis an invaluable tool when it comes to explaining the specifics and selling the value of a robust cybersecurity strategy to your board.

One of the most important things to emphasize in your cost-benefit analysis is the trade-off between paying to prevent a mess versus paying to clean up a mess. A recent Cabinet Office report stated the estimated cost of cybercrime to the UK economy is a whopping £27 billion. 

And when it comes to individual attacks, a Sophos survey in April 2021 found that the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021.

Of course, investing in preventative cybersecurity measures also comes at a cost. Research firm Gartner forecast that global spending on information security and risk management services will reach $150.4 billion in 2021 – an increase of 12.4 percent from 2020.

In this context, one thing remains front and center: for almost all organizations, the cost of prevention pales in comparison to the cost incurred by a successful cyberattack. So how do you apply a cost-benefit analysis to get board buy-in for your cybersecurity strategy?

How to adopt a cost-benefit analysis approach

Adopting a cost-benefit analysis approach is all about determining the risks you are willing to accept and comparing the costs of those risks against the benefits. This involves thinking about the direct and indirect risks you face, as well as the direct and indirect costs that could arise as a result of taking these risks. Examples of these include:

Direct costs like ransom payments, or expenditure associated with identifying, mitigating and quarantining a threat. 

Indirect costs like downtime, operational disruption, reputational damage, time and internal resources, and legal and non-compliance fees. 

It’s helpful to think about both direct and indirect factors when applying a cost-benefit analysis approach. For instance, you might compare:

The cost of business income disruption (direct) and lost productivity (indirect) due to a ransomware attack weighed up against the cost of preventing a data breach by investing in a ‘defence-in-depth’ cybersecurity approach.

The cost of operational disruption (direct) and a decrease in future revenues (indirect) weighed up against the cost of preventing an attack by investing in building an in-house team.

Adopting a cost-benefit analysis approach when speaking to your board involves coming up with options that you could undertake to achieve your project’s objectives — so you’ll want to keep breaking things down and playing with various risks, costs and outcomes.

Getting the board on-board 

Risk management is all about managing uncertainties. When it comes to preventing costly cyberattacks, it’s hard to avoid the conclusion that there is significant value to be found in investing in cyber security measures in order to avoid paying a higher price later.

The good news is that today’s executives report being more open to new cybersecurity strategies than ever before. In 2020, 50 percent of executives said that they were willing to consider cybersecurity as a factor in every business decision (compared to only 25 percent the previous year). Use this as an opportunity to build foundations that will help create a sustainable and safe future.

Phil Atkin, Sales Director - Cybersecurity, Six Degrees

Phil Atkin is Sales Director - Cyber Security at Six Degrees, a leading secure cloud-led managed service provider that works as a collaborative technology partner to organizations making a digital transition.