Today, the
Ponemon Institute
released its latest report, "The Economic Value of Prevention in the
Cybersecurity Lifecycle". The independent study, sponsored by
Deep Instinct, determined for the first
time that the economic value of cyberattack prevention - which takes into account
the entire cybersecurity lifecycle of detection, containment, remediation, and
recovery - ranges from $396,675 to $1,366,365, depending on the nature of the
attack.
The study also found that while the
overwhelming majority of cybersecurity professionals (70%) felt the ability to prevent attacks from penetrating
their networks would improve their cybersecurity posture and reduce the cost of
an attack, only a relatively small 21% of budgets are allocated to attack
prevention. 79% of budget allocation is delegated for detection, containment,
recovery and remediation activities.
The study determined that effective adoption of a preventative solution
- when compared to the current spending of security departments and the cost of
attacks - would result in significant cost reductions and require lower overall
investment.
"This
study shows that the majority of companies are more effective at containing
cyberattacks after they happen because it is perceived to be more accountable.
This explains why cybersecurity budgets focus on containing attacks rather than
preventing them, as well as the increased rate
of breaches despite investments in cybersecurity solutions," said Dr.
Larry Ponemon, the Chairman and Founder of the Ponemon Institute. "Prevention
of cyberattacks is perceived to be too difficult, but as companies continue to
suffer revenue losses due to cyber breaches, we expect budgets to start
allocating increased resources to preventative solutions given the amount of money
they save."
The clear benefit of prevention is reflected by the 67% of respondents who believe the use of automation and
advanced AI such as Deep Learning would improve their ability to prevent
attacks, and that, despite the current perceived difficulty, they intend to
implement these technologies within the next two years.
"What this
study shows is that most companies are still operating under a policy of
‘assume breach,' believing that it is more pragmatic to contain a cyberattack
after penetration. This is no longer an economically viable long-term
strategy," said Guy Caspi, CEO and co-founder of Deep Instinct. "The value of
prevention is clear - for any type of attack, prevention saves significant time
and money. Deep learning-powered cyber solutions, which are uninhibited by the
human limitations that define machine learning-driven solutions, are uniquely
suited to provide preventative protection for enterprises and drive down the
costs of attacks."
Additional
key findings from the report include:
- With an average budget of $13 million for IT security,
50% of respondents say their organizations are wasting limited budgets on
investments that don't improve their cybersecurity posture, and only 40%
believe their budgets are sufficient.
- Prevention is perceived to be the most difficult to
achieve in the cybersecurity lifecycle according to 80% of respondents.
The reasons cited are that it takes too long to identify, insufficient
technology and lack of in-house expertise.
- Organizations are more effective at containing
cyberattacks. 55% of respondents feel that they can contain attacks after
they happen, and this priority leads IT teams to allocate larger portions
of their budgets to containment, rather than prevention.
The study
surveyed over 600 IT and IT security practitioners who are knowledgeable about
their organizations' cybersecurity technologies and processes. Most of these
respondents are responsible for maintaining and implementing security
technologies, conducting assessments, leading security teams and testing
controls.
The full
report can be accessed here.