eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
As the coronavirus (COVID-19) continues to spread, the virulent disease has impacted our lives with restricted global travel, cancelled public and sporting events, and it compels employees to work remotely from home. We’ve seen a rise of fake coronavirus resources and websites as criminal elements take advantage of this situation. They know remote workers are not always as well-protected as ones behind the defenses of the mothership. In times like these, it becomes even more important to protect the laptops, tablets and other mobile devices used by your distributed workforce.
Quantifying Risk: Making the Case for Greater Endpoint Protection
In late 2018, the Ponemon Institute’s State of Endpoint Security Risk report stated that 34 percent of survey respondents indicated their endpoints had no protection. Unfortunately, this figure represents an increase compared to the 2017 report’s 28 percent. Perhaps unsurprisingly, the majority—64 percent—of survey respondents indicated that their organizations were compromised by one or more successful endpoint attacks in 2018. Again, this number reflects an increase over the previous year (54 percent).
From Cyber Risk to Financial Risk
While the cyber risk associated with endpoints is well-established, the financial risk—the minimum incurred yearly financial risk—is often considered in broad terms without sufficiently considering an organization’s characteristics.
To accurately determine the minimum incurred yearly risk of endpoints requires knowing multiple variables:
The characteristics of an organization
The probability an incident converting to data disclosure
The impact per record disclosed
Probability of an Incident
Studies often site widely inaccurate claims around breach probabilities and their consequences. Lumping small and medium businesses (SMBs), enterprises and a broad range of industries into calculations results in inaccurate estimations that lack real-world context.
At eSentire, we created a risk propensity model based upon real-world observations (as opposed to survey results) of what we see bypass our clients’ existing security controls. The figure below shows, for a 12-month period and based upon an organizations’ number of sites, the probability of at least one incident that involves a bypass of existing endpoint security controls.
For illustrative purposes, we’ve shown three industries: finance, legal and healthcare.
The more sites an organization has, the higher the risk. This conclusion follows logically: the more sites, the larger the threat surface (endpoints in this case) and the more opportunities for attackers. To keep our model conservative, we assumed that each location is both independent and segregated from the others. That is, a breach at one site doesn’t make a breach at another any more likely, and a breach at one site does not spread laterally to another.
Conversion to Data Disclosure
While probability of an incident is important, conversion to data disclosure is critical for calculating risk. To continue with our illustrative purposes, finance, legal and healthcare organizations have observed incident conversion to data disclosure at rates of 22 percent, 23 percent and 65 percent. Notice the disparity between healthcare and the finance and legal industries. This is due in part to the nature of the data protected and the level of cybersecurity investment, especially around detection, response and recovery.
Calculating the probability of an incident and it resulting in data disclosure requires multiplying our two variables (probability of an incident X conversion to data disclosure rate). For our finance, legal and healthcare illustrations we will use the values for organizations with three locations. The resultant probability of an incident converting to data disclosure is:
Finance: 11 percent
Legal: 17 percent
Healthcare: 46 percent
Impact and Incurred Yearly Risk
Determining incurred yearly risk requires subjectivity from the organization at risk. To illustrate, the latest Ponemon Cost of a Data Breach Study reported that every record lost in a data breach results in the following cost:
Finance: $210
Legal: $178
Healthcare: $429
No study can accurately project how many records an organization will lose if a data breach occurs. Leadership must determine, based on risk tolerance models, the projected number of records expected to lose in the case that a data breach occurs. For example, the below represents sample financial impact based on number of records lost:
Records Lost
Finance
Legal
Healthcare
1,000
$210,000
$178,000
$429,000
5,000
$1,050,000
$890,000
$2,145,000
10,000
$2,100,000
$1,780,000
$4,290,000
25,000
$5,250,000
$4,450,000
$10,725,000
50,000
$10,500,000
$8,900,000
$21,450,000
While these values are representative of when data disclosure does occur, it lacks application of risk of an incident and conversion to data disclosure over a 12-month period. To ultimately arrive at minimum incurred yearly risk (with at least one incident occurring), we must combine impact with probability of incident to data disclosure. The resultant minimum incurred yearly risk is:
Records Lost
Finance
Legal
Healthcare
1,000
$23,100
$30,260
$197,340
5,000
$115,500
$151,300
$986,700
10,000
$231,000
$302,600
$1,973,400
25,000
$577,500
$756,500
$4,933,500
50,000
$1,155,000
$1,513,000
$9,867,000
These values represent the minimum financial outlay organizations should expect over a 12-month period based on contextual risk.
Mismanagement of Risk
Despite an abundance of evidence that it’s just good business to invest in security solutions, many organizations wait until it’s too late. Rather than prudently managing financial risk by protecting endpoints, they respond only after incurring costs due to successful attacks.
This “wait and hope” approach manifests in inadequate security budgets. Gartner reports that the average organization spends $1,178 per employee on security, with only $124 of that figure dedicated to endpoint protection.
And, again despite ample evidence suggesting a different approach is needed, traditional antivirus remains the primary protection for endpoints—even though the Ponemon study shows that 57 percent of organizations recognize that traditional antivirus “does not provide adequate protection against today’s attacks.”
In fact, only 19 percent of respondents in the Ponemon report believe their compromise came from an “existing or known” attack, which might be caught by the traditional antivirus solutions receiving the bulk of endpoint security investments.
In contrast, 76 percent of respondents attribute their compromise to a “new or unknown zero-day attack”—exactly the type of attack that can be detected and mitigated by advanced endpoint protection capabilities.
Endpoint Protection: Beyond Traditional Antivirus
While endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solution adoption continues to increase, effectively operationalizing, monitoring and hunting threats has proven problematic across resource-constrained organizations. As a result, endpoint breaches have been on the rise and will continue their trajectory due to increases in remote workers, mobile endpoints and cloud adoption.
As security leaders and practitioners have come to realize, making the case for additional security investment proactively is a challenge. Broad endpoint studies that lump enterprises and SMBs together cite overinflated costs and lose credibility.
As security personnel attempt to make the case for additional investment, and leaders are weighing decisions, we encourage careful consideration of:
The contextual probability of an incident
The probability of conversion to data disclosure and impact
Projected loss of records
Risk tolerance
Subsequent financial risk, including costs associated with business disruption, information loss, revenue loss and equipment damage
Indirect costs that have long-lasting implications
Comparisons to similar organizations that incurred breaches and the consequences they felt
Cost of investment, including technology and resources
Outcome expected in financial risk mitigation—be specific, quantifiable and realistic (not all risk can be eliminated)
If you find your organization is at substantial risk of an endpoint attack, or if you’d simply like assistance understanding and quantifying the risk, then we would be happy to help. Our esENDPOINT service, powered by CrowdStrike® and VMware Carbon Black delivers next-generation prevention with EDR capabilities powered by an elite team of cyberthreat hunters.
eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
