Story image

Survey finds businesses stung with $16m hidden cybersecurity costs every year

09 Feb 18

Organisations around the world are being blindsided every year with the hidden costs of reactive, detection-based security.

Bromium has released the findings from a new independent global report that reveal the spiralling hidden costs, as the initial upfront licensing and deployment investment in security detection tools like anti-virus is completely dwarfed by the human cost of actually managing and assessing the millions of alerts and false-positive threat intelligence generated.

Staggeringly, the report found the average annual cost to maintain detect-to-protect endpoint security is around US$16.7 million per enterprise.

“Detection requires a patient zero – someone must get owned and then protection begins. Yet, because of this, rebuilds are unavoidable; false positives balloon; triage becomes more complex and emergency patching is increasingly disruptive,” says Bromium CEO Gregory Webb.

The data comes from a survey of 500 CISOs within enterprises around the world that is part of a wider report (The Hidden Costs of Detect-to-Protect), with the key findings including:

  • The average annual cost to maintain detect-to-protect endpoint security is $16,714,186, per enterprise
  • Organisations invest $345,300 per year on detect-to-protect security tools, but this cost is minimal compared to the hidden human costs
  • SOC teams receive over 1M alerts every year, but 75 percent are false positives
  • SOC teams spend 413,920 hours per year triaging alerts, an additional 2,448 hours rebuilding compromised machines, and 780 hours on emergency patching
  • All-together, that’s 417,148 hours per year, resulting in an annual labour cost of $16,368,886, per enterprise

“It’s no surprise that 63 percent of the CISOs we surveyed said they’re worried about alert fatigue. Our customers tell us their SOC teams are drowning in alerts, many of which are false positives, and they are spending millions to address them,” says Webb.

“Meanwhile, advanced malware is still getting through because cyber criminals are focusing on the weak spots like email attachments, phishing links and downloads. This is why organisations must consider the total cost of ownership when making security investments, rather than just following the detect-to-fail crowd.”

It’s encouraging to see organisations are investing in multiple security layers to defend against hackers, with the research finding on average enterprises are annually investing $159,220 on advanced threat detection, $44,200 on next-generation and traditional anti-virus, $29,540 on whitelisting and blacklisting, and $112,340 on detonation environments.

However, Webb asserts these technologies are all dependent on detection first and therefore are fundamentally flawed as they only stop the known.

The answer, Webb says, is application isolation as provides the last line of defence in the new security stack and is the only way to tame the spiralling labour costs that result from detection-based solutions.

“Application isolation allows malware to fully execute, because the application is hardware isolated, so the threat has nowhere to go and nothing to steal. This eliminates reimaging and rebuilds, as machines do not get owned,” Webb says.

“It also significantly reduces false positives, as SOC teams are only alerted to real threats. Emergency patching is not needed, as the applications are already protected in an isolated container. Triage time is drastically reduced because SOC teams can analyze the full kill chain.”

To avoid being stung by the hidden costs, Webb says there are a number of questions CISOs should be asking during evaluations, such as:

  • Where are most of the attacks happening?
  • Are advanced threats getting through current defences?
  • Is employee productivity negatively impacted by current security measures?
  • How many alerts are being generated? Of those, how many are false positives?
  • Is it likely that machines will still get compromised and need to be rebuilt?
How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.