Cybersecurity Investments vs. Actual Risk and Cyber Risk Mitigation


Investing in cyber security versus real risk and mitigating cyber risk

Over the past few years, companies across various sectors have steadily increased their investments in cyber security, and it is predicted to reach $150 billion globally in 2021. There are many factors that would contribute to increased budgets dedicated to cyber security, among them awareness of and experience with cyber threats. which are constantly evolving (both in complexity and frequency) and the IT challenges that come with them.

But this budget growth raises the question – what is this budget spent on? How is it distributed? And is it consistent with the actual financial impact on business from cyber risk that companies face?

Deloitte’s 2020 survey shows that there has been a significant increase in cybersecurity investment at its client companies over the past three years, and that many of these companies are considering cybersecurity as part of the IT function and budget. In general, this step can be seen as a positive integration – as many cybersecurity implementations require a close connection with the IT infrastructure – but also a potentially negative one if the budget allocation in this area can be vetoed in favor of IT over security.

The research further shows that clients now spend approximately 11% of their IT budget and on average around 0.55% of company revenue on cyber security.

Security services, including consulting, hardware support, implementation and outsourced services, represent the largest spending category in 2021, at nearly $72.5 billion worldwide.

Information Security and Risk Management End User Consumption by Segment

2020-2021 (US$ million)

Source: Gartner (May 2021)

Rising budgets and awareness of cyber security threats are costing companies a lot of money these days, but are they investing in the right fields? Are these expenditures aligned with the real risk the company faces? To answer these questions, we need to know what the top concerns are in the eyes of business leaders when it comes to cybersecurity.

The top 5 priorities for cybersecurity investments this year appear to be:

Cloud Security Data Security Third Party Security Automated Processes Mobile Security

Looking back at the large-scale cyberattacks of the past year, it is understandable and justified to invest resources in cloud, data and third-party security given that the most prominent attack vectors and threats at the moment are ransomware attacks and data theft (either as part of double extortion ransomware or standalone).

Business migration to use different cloud services provides additional layers of protection for companies’ data as backups are easier to retrieve in case of ransomware and the attack is unlikely to be directly on the cloud service provider and therefore the data is more secure than when stored locally.

The most surprising appearance in the top 5 list is mobile security. While there is no doubt that mobile threats are becoming more widespread and diverse, the impact of a successful attack on a personal mobile device that is also used for corporate activities (such as email and calendar) remains relatively low compared to attacks on personal computers or corporate services. This is primarily due to the fact that PCs and corporate services typically provide much more direct and simple access to the corporate network itself, while mobile devices typically connect to narrow or limited interfaces of that network.

Furthermore, mobile device exploitation can usually only be achieved by advanced threat actors. Why? For starters, mobile iOS apps must go through a review process before being registered to be available for download. For Android, apps can be sideloaded, but it’s a very difficult process. Meanwhile, unregistered computer applications (some infected with malware) are widely available online. Given these obstacles, it is much more difficult to exploit a smartphone than a PC.

Yes, it is true that mobile remote access trojans (mRATs) can enable unauthorized stealth access to devices. An attacker can use mRATs to exfiltrate sensitive information from devices such as location, contacts, photos, screenshots, and even eavesdrop on microphones. However, attacks such as mRAT are not common or effective attack vectors against organizations and companies. Mobile device attacks are usually very localized to a single victim user. This makes it more difficult to exploit an attack to spread through an organization. The PC is an easier target and has more damage potential.

Although there is a wide range of potential threats, it is not feasible, nor financially wise, to invest in security against every possible attack. From a business perspective, one should ask, “What is the potential financial downside to any cyber threat?” In the case of mobile devices, the financial exposure is quite low, so investment in cybersecurity needs to be adjusted accordingly. For example, basic mobile device management tools should be adequate for most use cases, such as preventing device theft or unauthorized app installation.

Security spending should be correlated with actual risk and risk mitigation actions appropriate to the risks. This even includes potential mobile security edge cases that have been identified as high risk. For example, some sectors—such as government, defense contractors, healthcare, or other highly regulated industries—may require more advanced mobile defense systems. This is where a quantification model built on threat and impact data can help inform security investment decisions, whether mobile or otherwise.

To see how Kovrr’s cyber risk quantification models can help your organization gain a more complete picture of the ever-evolving cyber threats and improve your company’s cyber security budget, get in touch with our experts today.

Comments are closed.