Investment levels required
Cybersecurity budgeting and investment needs
02
CYBERSECURITY IN EQUIPMENT RENTAL COMPANIES
INVESTMENT AND MATURITY
Special factors in equipment rental
HOW MUCH DOES CYBERSECURITY COST?
They also stress that the larger investment is in indirect and intangible costs of “designing in”, managing and embedding security into everything they do, which may ultimately be more than the direct costs.
But above all, the biggest progress and wins can come quickly at the start by low cost measures to get the basics in place:
LEADERS IN OUR INDUSTRY POINT TO THE FACT THAT COMPANIES AT THE EARLY PART OF THEIR JOURNEY MAY HAVE A MORE SIGNIFICANT “SET UP” COST (IF THEY ARE STARTING LOW DOWN ON THE MATURITY SCALE) – DEPLOYING PERHAPS 8% OF IT SPEND AT THE START – THEN SETTLING TO THE INDUSTRY NORMS OF 5% ANNUALLY TO SUPPORT MAINTENANCE AND ONGOING IMPROVEMENTS.
The case for investment is not easy. The cost of avoiding a successful attack on the organisation is high, whilst the benefit of avoidance is invisible. Nonetheless the cost of a single breach can be millions of Euros, in a financially motivated theft – and we know it could actually be a terminal event for a business in a major service denial situation, so we justify our investments on that basis.
According to Gartner*, the typical split of budget spend (across all sectors) reflects the enterprise-wide need to protect all aspects of a business.
A company breakdown on average of a cybersecurity budget is:
- Operational infrastructure security (48%): Relates to general Network Security, Identity and Access Management (IAM), Privilege Access Management (PAM), Endpoint Security and all the activities involved in data security.
- Vulnerability management and security monitoring (20%): Relates to vulnerability assessments, vulnerability scanning, active discovery and remediation of vulnerabilities via ticketing, Security Operations Centre (SOC) performance and Security Information and Event Management (SIEM) costs.
- Governance, Risk and Compliance (GR&C) (18%): Relates to the active role involved in securing the company’s data via an approved and certified framework, as well as complying with industry-specific regulations.
- Application security (14%): Relates to a combination of penetration testing practices geared towards improving hardware, software and employees from a running list of evolving threats.
Leaders also stress the strong link between cybersecurity investment and reducing risks of GDPR (General Data Protection Regulation) penalties.
“The EU GDPR sets a maximum fine of €20 million) or 4% of annual global turnover – whichever is greater – for infringements, involving loss of data.”
*Refer to: NIS Investments 2021 (ENISA Report) – trends quote in the report are presented through Gartner security data and insights observed globally.
Business email compromise (BEC) was responsible for only 4% of breaches, but had the highest average total cost of the initial attack vectors, at $5.01 million. The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million)
IBM also reported that, in 2021, the 4 most common causes of data breach by initial attack vector were:
> 20% – Weak and stolen credentials (passwords)
> 17% – Phishing
> 15% – Cloud misconfiguration
> 14% – Vulnerability in 3rd party software
THE COST OF VULNERABILITY
A 2022 Gartner survey shows 88% of Board of Directors regard cybersecurity as a business risk rather than solely a technical IT problem.
Gartner predict that by 2025, 60% of organisations will use cybersecurity risk as a significant determinant in conducting third- party transactions and business engagements Gartner.
In 2021 it took an average of 212 days to identify a data breach and an average 75 days to contain it, with breaches caused by stolen/compromised credentials taking the longest to identify (250 days) and contain (91 days) IBM.