SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Survey finds businesses stung with $16m hidden cybersecurity costs every year
Fri, 9th Feb 2018
FYI, this story is more than a year old

Organisations around the world are being blindsided every year with the hidden costs of reactive, detection-based security.

Bromium has released the findings from a new independent global report that reveal the spiralling hidden costs, as the initial upfront licensing and deployment investment in security detection tools like anti-virus is completely dwarfed by the human cost of actually managing and assessing the millions of alerts and false-positive threat intelligence generated.

Staggeringly, the report found the average annual cost to maintain detect-to-protect endpoint security is around US$16.7 million per enterprise.

“Detection requires a patient zero – someone must get owned and then protection begins. Yet, because of this, rebuilds are unavoidable; false positives balloon; triage becomes more complex and emergency patching is increasingly disruptive,” says Bromium CEO Gregory Webb.

The data comes from a survey of 500 CISOs within enterprises around the world that is part of a wider report (The Hidden Costs of Detect-to-Protect), with the key findings including:

  • The average annual cost to maintain detect-to-protect endpoint security is $16,714,186, per enterprise
  • Organisations invest $345,300 per year on detect-to-protect security tools, but this cost is minimal compared to the hidden human costs
  • SOC teams receive over 1M alerts every year, but 75 percent are false positives
  • SOC teams spend 413,920 hours per year triaging alerts, an additional 2,448 hours rebuilding compromised machines, and 780 hours on emergency patching
  • All-together, that's 417,148 hours per year, resulting in an annual labour cost of $16,368,886, per enterprise

“It's no surprise that 63 percent of the CISOs we surveyed said they're worried about alert fatigue. Our customers tell us their SOC teams are drowning in alerts, many of which are false positives, and they are spending millions to address them,” says Webb.

“Meanwhile, advanced malware is still getting through because cyber criminals are focusing on the weak spots like email attachments, phishing links and downloads. This is why organisations must consider the total cost of ownership when making security investments, rather than just following the detect-to-fail crowd.

It's encouraging to see organisations are investing in multiple security layers to defend against hackers, with the research finding on average enterprises are annually investing $159,220 on advanced threat detection, $44,200 on next-generation and traditional anti-virus, $29,540 on whitelisting and blacklisting, and $112,340 on detonation environments.

However, Webb asserts these technologies are all dependent on detection first and therefore are fundamentally flawed as they only stop the known.

The answer, Webb says, is application isolation as provides the last line of defence in the new security stack and is the only way to tame the spiralling labour costs that result from detection-based solutions.

“Application isolation allows malware to fully execute, because the application is hardware isolated, so the threat has nowhere to go and nothing to steal. This eliminates reimaging and rebuilds, as machines do not get owned,” Webb says.

“It also significantly reduces false positives, as SOC teams are only alerted to real threats. Emergency patching is not needed, as the applications are already protected in an isolated container. Triage time is drastically reduced because SOC teams can analyze the full kill chain.

To avoid being stung by the hidden costs, Webb says there are a number of questions CISOs should be asking during evaluations, such as:

  • Where are most of the attacks happening?
  • Are advanced threats getting through current defences?
  • Is employee productivity negatively impacted by current security measures?
  • How many alerts are being generated? Of those, how many are false positives?
  • Is it likely that machines will still get compromised and need to be rebuilt?