Getting A Return On Cybersecurity Investment

Uploaded on 2024-10-26 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Financial

How do you measure what you cannot see? This is the conundrum facing countless businesses as they grapple with the current cybersecurity landscape.

Too often the real value of a cybersecurity tool isn’t realised until a business becomes the victim of a data leak or breach. A successful cyberattack is also the moment when many businesses finally realise that their cybersecurity solutions aren’t up to par, or that they’re lacking focus in a specific area. 

This retroactive approach to cybersecurity is extremely damaging to businesses, so much so that it has prompted the UK government to consider mandating specific cybersecurity objectives for private companies to keep their data and employees safe. Those mandates are yet to materialise, but in 2024 the government did progress its Cyber Governance Code of Practice to help business boards shore up their cyber resilience. Similar efforts are being seen internationally. In the European Union (EU), the updated NIS2 Directive now imposes stricter cybersecurity requirements across industries, requiring companies to report incidents and implement measures to mitigate risks. Meanwhile, the US Securities and Exchange Commission (SEC) has introduced rules obligating publicly traded companies to disclose incidents in a bid to enhance transparency and accountability.

The problem businesses are facing is twofold: How do you select and measure the return on investment of cybersecurity tools, and how do you get buy-in at every level of the business to ensure that cybersecurity is more than just an afterthought? 

The cybersecurity marketplace is a confusing area for businesses. There are more than 5.5 million businesses in the UK, and around 99% of those businesses are classed as SMEs. Among those SMEs, 90% are “microbusinesses” or sole traders. While small businesses and start-ups might have the drive, ambition and agility to move quickly and respond to market demands, they almost always lack the knowledge and experience to effectively implement cybersecurity solutions that align with their objectives.  

In a 2024 survey, Zivver asked 250 security decision makers about their primary security challenges. Nearly half (47%) said they found it difficult to keep up with data security technologies, more than one-third (39%) cited regulation and compliance as a key concern, and 36% said they were concerned about a lack of security awareness and understanding among employees.

This is troubling, particularly when you consider the sheer number of applications, end-points, and distributed workers that businesses now typically deal with.

According to one report, more than 50% of employees have seen the number of collaboration tools in their company increase in the last two years – that opens the door to a lot of potential threat vectors, particularly where outbound threats such as data leaks and human error are concerned. 

Outbound Versus Inbound Threats

Measuring the return on investment for cybersecurity tools is complex, but at least where inbound threats are concerned – external threats where businesses are targeted or impacted – there are some useful KPIs that can be tracked. For instance, a business with integrated cybersecurity might be able to track how many threats were identified on their network in a given period of time and infer the effectiveness of their tools. There will still be challenges associated with communicating or “proving” these benefits to leaders in the boardroom, but it is easier to build a persuasive case. 

That case is more difficult to make when it comes to measures closely associated with stopping outbound threats. Outbound threats refer to instances where sensitive data leaves the business in an unauthorised fashion. Sometimes this is purposeful, such as a disgruntled employee stealing or leaking data, but more often it’s accidental – an erroneously sent email, a laptop left unguarded, or a phishing scam orchestrated by a third party that tricks an employee into revealing sensitive information.

To mitigate outbound threats, businesses need to consider things like employee awareness training, blocking untrusted domains, and intelligently filtering emails. It’s often much harder to gauge the efficacy of these measures, and too often businesses blame the human workers involved rather than the systems or cultures within the business. 

Humans Are Both The Strongest & Weakest Link

Humans are really the last line of defence for an organisation. They can be easily scapegoated as a weak link, but with the right tools and training in place they can easily be turned into the strongest link in an organisation’s defensive chain.

Bridging the gap between users and technology,  is the real key to unlocking cybersecurity returns. 

Take emails as a specific example. 80% of data leaks are caused by employee behaviour, where sensitive data is leaked, lost, or shared with unauthorised individuals. What’s more, two-thirds of organisations impacted by email-based data loss have to cease operations to mitigate the risk and remediate the threat. Organisations can train employees to spot phishing emails and put guidelines in place to ensure that data is only shared between authorised parties, but it’s almost impossible to gauge the ROI of these measures because their influence is qualitative rather than quantitative. But if that same organisation were to add a form of technology into the mix, such as automatic encryption or machine-learning algorithms that can detect sensitive content or attachments and provide a warning before emails are sent, the return on investment becomes clearer. This human-technology bridge can offer metrics such as how many emails are being sent with encrypted information, where potential breaches may be about to occur, and how compliant the company’s email protocols are with its overall security posture. 

This technology can empower humans to become one of the strongest links in the defensive chain, and part of this empowerment is gaining visibility into key metrics so that the efficacy of their cybersecurity strategy can be more accurately measured.

Cybersecurity Isn’t A box Ticking Exercise, It’s A Culture

A big part of measuring the ROI of preventative cybersecurity is getting buy-in from leadership and the vendors themselves. Frank mentions the need for daily maintenance and validation to ensure that a solution is performing as promised and is still up to par. By asking vendors whether they are compliant with ISO 27001 (an international standard that outlines requirements for information security management), Frank argues that businesses are practically 80% there when it comes to selecting a suitable vendor. 

Another key factor is business culture. Too many businesses have a culture that punishes staff for clicking on a fraudulent link or falling victim to a phishing scam. Far from being productive, this only makes it less likely that staff will come forward when a mistake is made, leaving more time for damage to occur and less time for incident management and control. No amount of technology will fix this; it’s vital that businesses create a pro-people culture when it comes to cybersecurity if they are to see any kind of return on their cybersecurity investments.

Organisations should create a baseline of transparency and trust, where employees feel safe in putting their hands up when they’ve made a mistake before they consider investing in supplementary tools to keep their data safe. 

Treating employees as a “risk that needs to be mitigated” is old-hat thinking. Employees shouldn’t be blocked from accessing key information or working efficiently under the guise of “good” security. Instead, IT leaders should pivot toward cybersecurity solutions that can keep data safe without disrupting workflows, monitoring the flow of information and ensuring those that need access have access. 

Viewing employees as a "risk that needs to be mitigated" is an outdated approach and can sometimes be more harmful to organisations.

Employees shouldn’t be restricted from accessing key information or working efficiently under the guise of "good" security. Instead, IT leaders should adopt a right-sized approach to security, tailoring protections based on the specific needs and risks associated with each employee's role.

Moving away from ‘one-size-fits-all’ methodology will ensure that data remains secure without disrupting workflows. By monitoring the flow of information and ensuring that only those who need access have it, organisations can balance robust security with operational efficiency.

Frank Horenberg is Head of IT at Zivver and and Simon Newman is a  Co-Founder of Cyber London

Image:  

You Might Also Read: 

Too Many Tools - Cybersecurity Professionals Feel Out Of Control:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Dark Data Helps Boost Business
Teach Your Children About Safer Cyber Security »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Corero Network Security

Corero Network Security

Corero Network Security is dedicated to improving the security of the Internet through the deployment of its innovative DDoS & Network Security Solutions.

Cyfor

Cyfor

Cyfor provides digital forensics and eDiscovery in civil, criminal, intellectual property, litigation and dispute resolution investigations.

Networkers

Networkers

Networkers is a global recruitment consultancy helping unite job-seekers and hiring companies across the technology industry.

inBay Technologies

inBay Technologies

inBay Technologies' idQ Trust as a Service (TaaS) is a unique and innovative SaaS that eliminates the need for user names and passwords.

Cobalt Labs

Cobalt Labs

Pen Testing as a Service for Modern SaaS Businesses. Cobalt is redefining the modern pen test for companies who want serious hacker-like testing built into their development cycle.

Kuratorium Sicheres Österreich (KSO)

Kuratorium Sicheres Österreich (KSO)

KSO is an independent non-profit association that has set itself the goal of making Austria safer as a national networking and information platform for topics of internal security.

State e-Government Agency (SEGA) - Bulgaria

State e-Government Agency (SEGA) - Bulgaria

The State e-Government Agency (SEGA) is responsible for matters relating to electronic governance in Bulgaria.

Spanish Network of Excellence on Cybersecurity Research (RENIC)

Spanish Network of Excellence on Cybersecurity Research (RENIC)

RENIC is a membership based sectoral association that includes research centers and other agents of the research cybersecurity ecosystem in Spain.

Cyberhaven

Cyberhaven

Cyberhaven provides rapid enablement for GDPR and CCPA compliance, streamlined data security and modern risk management.

OurCrowd

OurCrowd

OurCrowd is a leading equity crowdfunding platform for investing in global startups.

Real Protect

Real Protect

Real Protect is a Brazilian provider of managed security (MSS) and cyber defense services.

SensCy

SensCy

SensCy is a Trusted Guide for Sensible Cybersecurity for small and medium-sized organizations.

Sword Group

Sword Group

Sword is a leader in data insights, digital transformation and technology services with a substantial reputation in complex IT, business projects and mission critical operations.

Chaos Computer Club (CCC)

Chaos Computer Club (CCC)

The Chaos Computer Club is Europe's largest association of hackers.

Slide

Slide

Slide is a modern, security-first Business Continuity & Disaster Recovery (BCDR) company built exclusively for Managed Service Providers.

Coana

Coana

Coana helps software teams tackle the flood of alerts from traditional SCA tools. Using advanced reachability analysis, Coana cuts false alerts by over 80%, freeing up significant engineering time.