Widespread and costly cyberattacks have become the new normal for every business: According to IBM's Cost of Data Breach Report 2023, 83% of organizations surveyed have experienced multiple data breaches.
In this new reality, organizations know that minimizing the damage from a breach is just as important as preventing one. As a result, security leaders and senior executive teams with purchasing authority are looking at cybersecurity investments in new, and sometimes conflicting, ways.
Security leaders focused on defense-in-depth strategies are continuously exploring solutions to address their organization's ever-evolving attack surface and scrutinizing technical solutions accordingly, while business-focused stakeholders are conscious of growing cybersecurity investments and are using new criteria to approve or sanction security purchases.
The recent Change Healthcare ransomware attack is an extreme example that shows the polarity of cybersecurity investments and their ultimate value, especially when considering the cost of a breach.
With over $3 billion in revenue, Change Healthcare is one of the largest healthcare payment management providers in the U.S. The company processes billions of transactions and sensitive patient data across the U.S. healthcare system. No doubt, Change Healthcare employs a comprehensive cybersecurity technology stack to protect against threats and has a large team of security experts to manage it.
But the Change Healthcare breach is expected to be one of the costliest ransomware attacks to the U.S. healthcare industry, with a confirmed ransom payment of $22 million and recovery costs predicted to be more than $1 billion.
Ransomware attacks are complex but are often launched using rudimentary or low-tech techniques. In the case of the Change Healthcare attack, compromised credentials reportedly allowed attackers to remotely access the Change Healthcare Citrix portal, which is not protected by multi-factor authentication (MFA).
Despite millions of dollars invested in cybersecurity tools and resources, basic attack techniques still result in costly incidents.
A new cybersecurity justification
Investing in anti-bribery measures
Given the increasing sophistication of attackers and the ineffectiveness of many standard detection and response tools against ransomware and the basic techniques used for primary access, ensuring and maintaining a robust defense-in-depth strategy requires staying one step ahead with investments in new technologies.
In most organizations, cybersecurity leaders must navigate the reality of limited resources and budgets: they now need to not only justify the security benefits of new technologies, but also demonstrate the security return on investment (ROSI) for these investments to business-focused stakeholders.
IT budgets are growing, with software spending expected to grow 13.7% and IT services spending expected to grow 8.8% in 2024, according to Gartner.
But while budgets are growing, the buying process is changing. For example, security leaders today face new buying barriers that go beyond technical review and require creating a business case that justifies the spend while defining the likelihood that a breach event will occur.
The average cost of a data breach across all industries has soared to $4.45 million, according to IBM's Cost of a Data Breach Report 2023. While that's a small figure compared to Change Healthcare's breach costs, it's still a number that could be business-changing or, worse, business-ending for most organizations.
However, the average cost of a breach in the United States is significantly higher at $9.48 million. Recovery costs vary widely and can include service interruption, system downtime, financial losses, non-compliance fines, and legal costs.
Despite the obvious risks and real-world news coverage, business-oriented stakeholders may be skeptical of the likelihood of a general breach because it may not accurately reflect an organization's specific risk profile. Metrics and standardized tools provide a quantitative means to evaluate new technology investments against projected risks.
Application of annual loss
Expectations for quantifying risk
Annualized Loss Expectancy (ALE) is actively used in risk assessments and has gained prominence in cybersecurity investment decision-making. ALE quantifies the potential financial impact of a security investment within a defined time period.
ALE is a methodology that helps identify and prioritize security threats by assigning specific monetary values and forecasting the annual costs associated with specific security breaches, helping security leaders build a robust business case for potential technology investments, especially when there are overlaps or redundancies in existing technologies and investments.