Cyber threats are responsible for growing security expenses in enterprises with close links to the IT sector – and these costs cannot be avoided. Defending IT systems against the significant threat posed by modern malware results in enormous costs. A heuristic model from Juniper Networks has been designed to help better map the economic difficulties faced by enterprises in this field.
Problems with current security solutions
There is no perfect solution available to companies for eliminating or avoiding threats. The following key results from the above-mentioned model help to make this clear:
- There is no universal solution currently available to enterprises. That is why there is no single optimum investment strategy.
- Most typical IT security solutions deployed in an enterprise are procured to meet specific cyber threats. This influences tools’ long-term effectiveness and they lose value rapidly.
- Enterprises often fail to recognise the importance of their own personnel: investments in this area – training or sensitisation courses for example – can often save costs in the long term by means of preventive measures.
- Simple software updates are not performed with sufficient speed and regularity. This alone would lead to significant cost savings.
- The Internet of Things makes it necessary to invest in security solutions for a completely different category of devices. As it stands, few companies are ready for this challenge at the moment.
However, large investments are not a panacea, as the study by Juniper Networks demonstrates by taking a look at the role of the defender.
Defence against current cyber threats
At the moment, the financial and organisational resources of attackers are growing faster than sums being invested by enterprises in IT security. One reason for this bad state of affairs is that many enterprises still do not attach the same importance to threats from the Internet or internal network as they do to “real” problems. A lot of companies take the path of least resistance: metrics are shown at meetings that represent how many potential cyber threats could be stopped by a new firewall, for example.
This may be interesting from a technical point of view, but this depiction of information fails to mention that every new security solution is also tied to an investment risk. The efficient management of security software remains difficult as, according to “Juniper Networks'” study, companies fail to see this issue as relevant. Yet the overall cost of IT security is closely linked to the effectiveness of security solutions in general.
Holistic consideration as solution
Before going ahead with actual investment, costs can be defined as the sum of various aspects to help companies better understand the cost-effectiveness of their own security solutions: These aspects comprise:
- The likely losses due to cyber attacks
- The direct cost of staff training
- The direct cost of investment in new security applications
- The indirect cost incurred due to restrictions in the area of BYOD devices within the staff
- The indirect cost incurred due to air-gaps in subnetworks
The likely losses incurred due to cyber attacks is very easy to determine: how likely is an attack and what impact would one have? Multiplying these two values results in the potential loss. The next thing to do is to determine a security solution below this value – otherwise the costs of investment in cyber security will exceed the potential loss, which is financially unviable for companies in the long term.
IT security: the impact of new insights
Within the study, enterprises that implement these measures from Juniper Networks and analyse their own needs also tend to introduce a number of changes. Among other things, they reduced the number of devices exposed to potential security risks. At the same time, this resulted in lower losses in the event of successful cyber attacks. Furthermore, it was possible to introduce new security tools as their cost could be better calculated in advance, and several widespread variants of malware were rendered ineffective as appropriate countermeasures were implemented more rapidly.
The Juniper Networks model therefore means significantly more effective defence against security risks for companies of all sizes. However, this was not only achieved by simply acquiring new tools but also by considering their impact in relation to the expected costs.
Companies will incur more losses as a result of cyber attacks if they fail to acquire appropriate tools and hold appropriate training than the losses expected to be incurred after implementing the model. And in the long term, the gap between the two will grow. There is still no all-round solution in sight – but cost minimisation is already possible.