Trying to assign a value to the return on investment in IT security technologies and services has always been a major challenge. No one can really assign a value to all the potential threats that were blocked. The only real definitive measure is the cost of the cybersecurity attacks that managed to get by whatever IT security defenses were in place at the time. No one likes to see any organization fall victim to a cybercrime. But some sense of the financial costs associated with cybersecurity attacks does go a long way to helping IT security professionals justify the level of investment being made.
Guidance Software, a provider of IT forensics tools, has published the results of a survey of 330 IT professionals in North America that finds 25 percent of organizations suffered significant or minor direct financial losses due to an attack or breach in the past 12 months. Only six percent of companies claimed significant financial losses, up from two percent in 2016. But another 19 percent of companies claimed minor financial losses in 2017; up from 11 percent in 2016. However, when viewed through the lens of companies that were impacted by breaches specifically targeted at them, 20 percent of those organization bore costs of over $1 million. The report also finds that 19 percent of respondents experienced intellectual property theft or a breach of information confidentially in 2017; up from 13 percent in 2016. Obviously, the loss of intellectual property can be nothing short of incalculable.
In total, approximately 65 percent of organizations reported falling victim to malware-related breaches (up from 56 percent in 2016), while 55% experienced phishing-initiated breaches (down from 58 percent in 2016).
When it comes to maintaining IT security the survey finds that 35 percent of respondents named assessing risk the biggest IT security challenge; up from 32 percent in 2016. That was followed closely by 34 percent of respondents named enforcing security policies the top challenge; up from 31 percent in 2016, and 33 percent that named managing the complexity of security the biggest challenge, which was the same in 2016.
Despite these concerns, however, only about half of respondents (48%) believe they will need to respond to a breach in the coming year. In addition, 54 percent of organizations said they feel well prepared to respond to a major breach in the coming year (up from 51% in 2016). But twice as many respondents (25%) as last year (12%) said they are looking to build a formal security and incident management team within the next year.
As financial losses increase there’s always a natural increase in funds being allocated to IT security. A report published this week by Markets&Markets estimates that the cybersecurity Market is expected to grow from $137.85 Billion in 2017 to $231.94 Billion by 2022, representing a compound annual growth rate (CAGR) of 11 percent. Obviously, IT security spending is going to be uneven across organizations. The good news, however, is there are now a lot more IT organizations being proactive about IT security. The bad news is those organizations are still outnumbered by those that continue to be reactive. The real challenge IT security professionals face is getting the leaders of their organizations to truly appreciate the value of investments made in IT security. After all, most of those investments are an article of faith. But as reports of financial losses continue to pour in around the globe it is becoming easier for business executives to keep the IT security faith.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.