Cyber Security Can Bring Triple Digit Returns. Why Aren’t More Companies Investing?

A deep dive into the spending and practices of leading organizations reveals a detailed cyber security blueprint to help companies target their efforts.
By: | July 2, 2020

Companies tightening their belts to endure the pandemic may want to rethink cuts on cyber security, both because the sudden jump into a digital work environment has increased cyber risk and because the returns on cyber security investments are significant.

Headlining the results of its cyber security study released June 18 was ESI Thoughtlab’s finding that the average return on cyber security investments among the 1,009 companies it surveyed was 179%.

The biggest ROI, at 271%, came from training people to deal with cyber threats, followed by a 156% jump from securing business processes, and 129% from investing in relevant technology.

The ROIs tend to be most attractive for companies just starting to bolster cyber security.

Nevertheless, the threat is significant across the board, resulting in $4.1 billion in losses over the year before the survey was conducted (between November 2019 and January 2020). The losses stemmed from 28,100 successful breaches.

Digging Deeper into the Results

The study surveyed a wide range of companies, with 18% generating less than $1 billion in revenues, 6% over $50 billion, and a plurality — 40% — generating more than $10 billion, evenly split between 13 industries.

Study participants reported one in three attack attempts resulting in a successful breach and spending an average of $9.6 million on cyber security, or $515 per employee.

Leaders in terms of “cyber security maturity” spent the most, at $618 per employee, compared to $473 per employee for what Philadelphia-headquartered ESI terms “beginners.”

Lou Celi, CEO, ESI Thoughtlab

The study, titled “Driving Cybersecurity Peformance: Improving results through evidence-based analysis,” noted that the current pandemic has “fast-tracked digitalization” as businesses rely on remote working, e-commerce, cloud platforms, and other technology-enabled solutions.

“As a result, cyber risks will become more pervasive and complex, while cyber security effectiveness and resilience will become levers of competitive advantage,” according to the study’s authors.

Cyber Security Already at Play for Respondents

To determine the cyber security maturity of companies participating in the survey, explained Lou Celi, CEO of ESI, the research firm took a three-pronged approach.

First, it analyzed companies’ progress implementing NIST (National Institute of Standards and Technology) Cybersecurity Framework policies to mitigate cyber risk.

However, Celi said, “Our study shows that just complying with the framework doesn’t necessarily provide the best results,” since self-assessments may lack objectivity, and externally available data may not tell the whole story.

Consequently, he added, the study also took into account companies’ records in terms of thwarting breaches, finding that successful ones were often but not necessarily advanced in implementing the NIST Framework.

ESI also incorporated Verizon’s cyber risk ratings that are based on externally observable data that the telecom giant collects in partnership with BitSight to test the security of companies’ websites and other digital assets, Celi said.

“We looked at which companies we doing well in all three of those measures and what they were doing differently than the others,” Celi said.

That enabled ESI to generate a well-rounded list of corporate cyber security leaders’ best practices:

  • Continuous improvement. Leaders spend about 25% more than others on cyber security per employee and invest more in recruiting specialists, working with consultants, and training, such as end-user security awareness training with simulated phishing.
  • Cyber hygiene a priority. Leaders have the lowest percentage of unpatched “critical” or “high” vulnerabilities and they do more frequent backup restoration drills, IT infrastructure scans, and phishing tests.
  • Management focused and aligned. The heads of cyber security typically report to the CEO, COO, or board of directors. Chief information security officers (CISOs) in 75% of leading companies focus more on security than IT and play a bigger role in digital transformation, managing data privacy, and operational resiliency. Two executives are more likely to share responsibility for cyber security.
  • Focus on analytics and specialized teams. More than eight out of 10 leaders conduct cyber risk scenario analysis, assess the financial impact of risk events, and measure the effects of mechanisms to mitigate cyber risks. They also outsource incident response, red team, risk management, and security operations more often.
  • Effective technology use. Leaders invest more in — and get greater effectiveness from — key cyber security technologies, including cloud workload security, endpoint detection, mobile device management, deception technology, email filtering, multi-factor authentication, firewalls and web filtering.
  • Risk transfer. Fifty-seven percent of leaders have cyber insurance coverage exceeding $10 million, versus 30% of non-leaders. Overall, 60% of respondents plan to spend more on insurance over the next two years.

Utilizing the Roadmap

Robert Rosenzweig, national cyber risk practice leader at Risk Strategies, noted that every company faces different cyber security threats, but the study provides insight into where they are investing.

“Understanding what peers are doing and where there’s ROI is important,” Rosenzweig said, noting the study “aligns with where we’re seeing the claims activity in the marketplace.”

He added that as cyber insurance premiums start to rise and underwriters become more discerning and ask more pointed questions, the study provides a roadmap for corporate peers’ cyber security priorities, potentially preempting insurer inquires into areas such as employee training and whether the company has multi-factor authentication.

“Those are the types of questions carriers will insist on as the pendulum starts to swing the other way and they have bit more leverage in the transaction,” Rosenzweig said.

Cyber Security in the Age of COVID

Companies in the study increased their investment in cyber security by 12% in 2019 and anticipated at 14% increase in 2020.

The COVID-19 pandemic may reduce that spending, Rosenzweig said, noting Gartner’s June 17 announcement that information-security spending is expected to grow 2.4% in 2020, down significantly from the 8.7% increase it projected in December 2019.

Consequently, companies will have to choose their technology wisely, as the work-from-home environment prompts the need for new or replacement technology.

Mike Convertino, CSO at Arceo, one of several companies with cyber security expertise enlisted by ESI to its advisory board, said the need for security in remote work will push companies to shift away from virtual private networks (VPNs).

VPNs give connecting PCs a broad view of everything on the network, even if users can’t log on to them, “and that’s a danger because [the PC user] will see servers they don’t have permission to log on to,” said Convertino, the former CISO of Twitter, Crowd Strike and F5 Neworks.

Newer technology that replaces VPNs requires permissions to view and access specific network services, such as the company’s financial database, and Convertino said companies may be shifting funds toward these solutions and away from VPNs.

The sheer number of employees now connecting remotely means many companies must both increase remote log-on systems’ capacity and implement software to protect remote PCs that are vulnerable.

“We’ve also seen an increasing number of companies developing programs to teach employees how to harden home networks and protect them — updating software on the router, using accounts that don’t have administrative rights to prevent installation of malicious software, and the like,” Convertino said.

“For example, putting your kid’s gaming system on a different network, such as the ‘guest’ network, instead of the one you use for work.” &

John Hintze is a freelance writer who can be reached at [email protected].

More from Risk & Insurance