While organizations grapple with how much to budget for cybersecurity, reports predict cybercrime will cost the world upward of $10 trillion in 2024.
The damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state sponsored and organized crime gang hacking activities, and a cyber-attack surface which will be an order of magnitude greater in 2025 than it is today.
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, and embezzlement.
Also included on this list is:
- Fraud
- Post-attack disruption to the normal course of business
- Forensic investigation
- Restoration and deletion of hacked data and systems
- Reputational harm
- Legal costs
There’s also the potential cost of regulatory fines, especially if personal information from users or clients has been stolen.
Given the risks, experts in this arena often estimate that companies should budget up to 20% of their IT budget on cybersecurity, although this figure will vary depending on an organization’s risk exposure, the potential cost of a data breach, and its overall budget.
There’s also the Pareto Principle, which can be useful for organizations that realize that no matter how hard they try to discover network vulnerabilities, they can’t find all of them. There are simply too many threats out there to identify.
The principle states that 20% of the invested input is responsible for 80% of the results obtained. Put another way, 80% of consequences stem from 20% of the causes.
This principle can also work in reverse; only 20% of the vulnerabilities on the internet lead to 80% of the data loss. When you think about it, this makes sense. How often do you hear about major data breaches in which multiple vulnerabilities were exploited? Instead, it’s usually just one major hack that led to many compromised accounts.
Many feel that the most important part of effectively using the 80/20 rule is determining what your priorities should be, and which threats are the most dangerous.
Want to learn more? Tonex offers Cost of Security: Balancing Investment and Risk Training, a 2-day course where participants learn to define COSE and distinguish between various types of security costs.
Participants also learn to evaluate the financial impact of security threats and breaches on an organization as well as develop strategies for efficient allocation of security resources for maximum protection.
This course is designed for cybersecurity professionals, risk management officers, IT managers, financial analysts, and senior executives responsible for making decisions about security investments and policies in their organizations.
For more information, questions, comments, contact us.