If you’re struggling to get buy-in from your department leaders on the cyber security investments you need to make, it may be time to adopt a cost-benefit analysis approach.
If there’s one thing you can be sure of when it comes to cyber security, it’s that you can never be sure of anything. The cyber security landscape has never been more hostile or complex, and changes to the working world brought about by COVID-19 have introduced risks that all organisations need to mitigate.
The hybrid working world of 2022 looks very different to the office-centric world we left in 2020, and technology has been instrumental in facilitating our new hybrid working lives. But as our working patterns have changed, so have the threat vectors through which hackers can target us to launch damaging cyber-attacks.
In order to protect ourselves and our organisations, we need to adapt our cyber security postures accordingly. This involves investment. But buy-in for this investment can be difficult to obtain if your department leaders see cyber security as a cost they could do without – or if they believe they lack the budget to address the issue in the first place.
If this is something you are struggling with today, the best way to get your department leaders on-board may well be to present cyber security challenges through a cost-benefit analysis approach. In this blog we’ll take a look at the true cost of cyber-attacks, and explain how a cost-benefit analysis approach is the best way to get the investment you need to address them.
The True Cost of Cyber-Attacks: Key Areas to Consider
When calculating the cost of cyber-attacks to departments, there are typically three areas that are measured: cost to fix, productivity loss and reputational damage. We’ll run through these one at a time.
- Cost to Fix. When your organisation suffers downtime, the cost to fix is totally dependent on the provisions that you have in place to support recovery. If you have outdated business continuity provisions that are unable to deal adequately with a cyber-attack, you may need to fly in specialist firms and individuals to do their best to recover your data. This will, of course, come at a premium. If, on the other hand, you have appropriate provisions in place that have been tested and are known to support the rapid recovery of systems and data, your cost to fix will be significantly lower.
- Productivity Loss. Of all the factors that need to be considered with the cost of downtime, productivity loss is perhaps the most significant. Having employees unable to work is damaging to any organisation, and the longer they remain unproductive, the costlier it becomes.
- Reputational Damage. The reputational damage of a cyber-attack may feel less tangible than financial and operational damage, but it is important to consider. This is especially true for central government departments, for whom reputational damage could be extremely serious – potentially even threatening national security. Departments that are careful to maintain their reputation are likely to lose considerable trust from citizens if they suffer downtime or a data breach. Consider your own habits – would you trust an organisation you knew had leaked peoples’ confidential information in the past?
These key areas are essential considerations when calculating the true cost of cyber-attacks. However, if they still feel a little intangible, we’ll take you through a costed example in the following section.
Prevention Versus Recovery: A Costed Example
Consider an outage at a 50-person office that lasts one day. If the average annual salary in the office is £30,000, one day of downtime will cost the business over £11,400, factoring in a drop in efficiency of 50% for two days.
With ransomware attacks, you should consider the impact both of downtime and of the need to roll-back for an extended period. Recovery from a ransomware infection requires either identification of the time of infection or, more commonly, the recovery and testing of multiple restore points until a clean environment is confirmed.
Let’s say that a ransomware infection impacts a finance system, affecting a team of five users. For our example, the average salary of each staff member is £35,000 per year. It would not be uncommon for the recovery window of such an infection to cause three days of downtime, during which systems are rebuilt and tested, until at last a clean recovery point is found from a week ago.
For the next two weeks, the finance department not only has to recover from three days of outage, but they have also lost the previous week’s work. The efficiency of the team is impacted: not only does the department need to continue to process the normal day-to-day transactions, but they must also spend a considerable amount of time identifying and reproducing the work lost over the next two weeks. The total cost to the organisation is £6,700 for three days of outage only affecting five members of staff!
Put in these terms, the preventative costs of investing in cyber security suddenly don’t seem so extensive when compared to the cost to recover. Let’s now take a look at how presenting cyber security challenges through a cost-benefit analysis approach will help you achieve the investment you need.
A Cost-Benefit Analysis Approach to Cyber Security
A cost-benefit analysis is a method used to evaluate a project by comparing its losses and gains — essentially a quantified and qualified list of pros and cons. Undertaking a cost-benefit analysis is a great way to assess projects because it reduces the evaluation complexity to a single figure. As you can imagine, this makes a cost-benefit analysis an invaluable tool when it comes to explaining the intricacies and selling the value of a robust cyber security strategy to your department leaders.
One of the most important things to emphasise in your cost-benefit analysis is the trade-off between paying to prevent a mess versus paying to clean up a mess. A recent Cabinet Office report stated the estimated cost of cybercrime to the UK economy is a whopping £27 billion. And when it comes to individual attacks, a Sophos survey in April 2021 found that the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021.
Of course, investing in preventative cyber security measures also comes at a cost. Research firm Gartner forecast that global spending on information security and risk management services will reach $150.4 billion in 2021 – an increase of 12.4% from 2020.
In this context, one thing remains crystal clear: for most organisations, the cost of prevention pales in comparison to the cost of a breach. So how you apply a cost-benefit analysis to get department leader buy-in for your cyber security strategy?
How to Adopt a Cost-Benefit Analysis Approach
Adopting a cost-benefit analysis approach is all about determining the risks you are willing to accept and comparing the costs of those risks against the benefits. This involves thinking about the direct and indirect risks you face, as well as the direct and indirect costs that could arise as a result of taking these risks. Examples of each include:
- Direct costs like ransom payments, or expenditure associated with identifying, mitigating and quarantining a threat.
- Indirect costs like downtime, operational disruption, reputational damage, time and internal resources, and legal and non-compliance fees.
It’s helpful to think about both direct and indirect factors when applying adopting a cost-benefit analysis approach. For instance, you might compare:
- The cost of income disruption (direct) and lost productivity (indirect) due to a ransomware attack versus the cost of preventing a data breach by investing in a ‘defence-in-depth’ cyber security approach.
- The cost of operational disruption (direct) and a decrease in future income (indirect) versus the cost of preventing an attack by investing in building an in-house team.
Developing a cost-benefit analysis approach involves coming up with options that you could undertake to achieve your project’s objectives — so you’ll want to keep breaking things down and playing with various risks, costs and outcomes. This leads naturally on to a discussion around whether existing cyber security resources are optimally deployed.
In many cases, analysis by Six Degrees has enabled organisations to rationalise security services. This delivers not only better cyber security, but proportionally reduced cost that can pay for the implementation of new capabilities. You can read more about our work with central government by visiting our centralised central government hub.
Getting Department Leaders On-Board
Risk management is all about managing uncertainties. When it comes to preventing costly cyber-attacks, there’s significant value to be found in investing upfront in order to avoid paying a higher price later.
The good news is that today’s executives report being more open to new cyber security strategies than ever before. In 2020, 50% of executives said that they were willing to consider cyber security as a factor in every business decision (compared to only 25% the previous year). Use this as an opportunity to build foundations that will help create a sustainable and safe future.