As the coronavirus (COVID-19) continues to spread, the virulent disease has impacted our lives with restricted global travel, cancelled public and sporting events, and it compels employees to work remotely from home. We’ve seen a rise of fake coronavirus resources and websites as criminal elements take advantage of this situation. They know remote workers are not always as well-protected as ones behind the defenses of the mothership. In times like these, it becomes even more important to protect the laptops, tablets and other mobile devices used by your distributed workforce.
Quantifying Risk: Making the Case for Greater Endpoint Protection
In late 2018, the Ponemon Institute’s State of Endpoint Security Risk report stated that 34 percent of survey respondents indicated their endpoints had no protection. Unfortunately, this figure represents an increase compared to the 2017 report’s 28 percent. Perhaps unsurprisingly, the majority—64 percent—of survey respondents indicated that their organizations were compromised by one or more successful endpoint attacks in 2018. Again, this number reflects an increase over the previous year (54 percent).
From Cyber Risk to Financial Risk
While the cyber risk associated with endpoints is well-established, the financial risk—the minimum incurred yearly financial risk—is often considered in broad terms without sufficiently considering an organization’s characteristics.
To accurately determine the minimum incurred yearly risk of endpoints requires knowing multiple variables:
- The characteristics of an organization
- The probability an incident converting to data disclosure
- The impact per record disclosed
Probability of an Incident
Studies often site widely inaccurate claims around breach probabilities and their consequences. Lumping small and medium businesses (SMBs), enterprises and a broad range of industries into calculations results in inaccurate estimations that lack real-world context.
At eSentire, we created a risk propensity model based upon real-world observations (as opposed to survey results) of what we see bypass our clients’ existing security controls. The figure below shows, for a 12-month period and based upon an organizations’ number of sites, the probability of at least one incident that involves a bypass of existing endpoint security controls.
For illustrative purposes, we’ve shown three industries: finance, legal and healthcare.
The more sites an organization has, the higher the risk. This conclusion follows logically: the more sites, the larger the threat surface (endpoints in this case) and the more opportunities for attackers. To keep our model conservative, we assumed that each location is both independent and segregated from the others. That is, a breach at one site doesn’t make a breach at another any more likely, and a breach at one site does not spread laterally to another.
Conversion to Data Disclosure
While probability of an incident is important, conversion to data disclosure is critical for calculating risk. To continue with our illustrative purposes, finance, legal and healthcare organizations have observed incident conversion to data disclosure at rates of 22 percent, 23 percent and 65 percent. Notice the disparity between healthcare and the finance and legal industries. This is due in part to the nature of the data protected and the level of cybersecurity investment, especially around detection, response and recovery.
Calculating the probability of an incident and it resulting in data disclosure requires multiplying our two variables (probability of an incident X conversion to data disclosure rate). For our finance, legal and healthcare illustrations we will use the values for organizations with three locations. The resultant probability of an incident converting to data disclosure is:
- Finance: 11 percent
- Legal: 17 percent
- Healthcare: 46 percent
Impact and Incurred Yearly Risk
Determining incurred yearly risk requires subjectivity from the organization at risk. To illustrate, the latest Ponemon Cost of a Data Breach Study reported that every record lost in a data breach results in the following cost:
- Finance: $210
- Legal: $178
- Healthcare: $429
No study can accurately project how many records an organization will lose if a data breach occurs. Leadership must determine, based on risk tolerance models, the projected number of records expected to lose in the case that a data breach occurs. For example, the below represents sample financial impact based on number of records lost:
Records Lost |
Finance |
Legal |
Healthcare |
1,000 |
$210,000 |
$178,000 |
$429,000 |
5,000 |
$1,050,000 |
$890,000 |
$2,145,000 |
10,000 |
$2,100,000 |
$1,780,000 |
$4,290,000 |
25,000 |
$5,250,000 |
$4,450,000 |
$10,725,000 |
50,000 |
$10,500,000 |
$8,900,000 |
$21,450,000 |
While these values are representative of when data disclosure does occur, it lacks application of risk of an incident and conversion to data disclosure over a 12-month period. To ultimately arrive at minimum incurred yearly risk (with at least one incident occurring), we must combine impact with probability of incident to data disclosure. The resultant minimum incurred yearly risk is:
Records Lost |
Finance |
Legal |
Healthcare |
1,000 |
$23,100 |
$30,260 |
$197,340 |
5,000 |
$115,500 |
$151,300 |
$986,700 |
10,000 |
$231,000 |
$302,600 |
$1,973,400 |
25,000 |
$577,500 |
$756,500 |
$4,933,500 |
50,000 |
$1,155,000 |
$1,513,000 |
$9,867,000 |
These values represent the minimum financial outlay organizations should expect over a 12-month period based on contextual risk.
Mismanagement of Risk
Despite an abundance of evidence that it’s just good business to invest in security solutions, many organizations wait until it’s too late. Rather than prudently managing financial risk by protecting endpoints, they respond only after incurring costs due to successful attacks.
This “wait and hope” approach manifests in inadequate security budgets. Gartner reports that the average organization spends $1,178 per employee on security, with only $124 of that figure dedicated to endpoint protection.
And, again despite ample evidence suggesting a different approach is needed, traditional antivirus remains the primary protection for endpoints—even though the Ponemon study shows that 57 percent of organizations recognize that traditional antivirus “does not provide adequate protection against today’s attacks.”
In fact, only 19 percent of respondents in the Ponemon report believe their compromise came from an “existing or known” attack, which might be caught by the traditional antivirus solutions receiving the bulk of endpoint security investments.
In contrast, 76 percent of respondents attribute their compromise to a “new or unknown zero-day attack”—exactly the type of attack that can be detected and mitigated by advanced endpoint protection capabilities.
Endpoint Protection: Beyond Traditional Antivirus
While endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solution adoption continues to increase, effectively operationalizing, monitoring and hunting threats has proven problematic across resource-constrained organizations. As a result, endpoint breaches have been on the rise and will continue their trajectory due to increases in remote workers, mobile endpoints and cloud adoption.
As security leaders and practitioners have come to realize, making the case for additional security investment proactively is a challenge. Broad endpoint studies that lump enterprises and SMBs together cite overinflated costs and lose credibility.
As security personnel attempt to make the case for additional investment, and leaders are weighing decisions, we encourage careful consideration of:
- The contextual probability of an incident
- The probability of conversion to data disclosure and impact
- Projected loss of records
- Risk tolerance
- Subsequent financial risk, including costs associated with business disruption, information loss, revenue loss and equipment damage
- Indirect costs that have long-lasting implications
- Comparisons to similar organizations that incurred breaches and the consequences they felt
- Cost of investment, including technology and resources
- Outcome expected in financial risk mitigation—be specific, quantifiable and realistic (not all risk can be eliminated)
If you find your organization is at substantial risk of an endpoint attack, or if you’d simply like assistance understanding and quantifying the risk, then we would be happy to help. Our esENDPOINT service, powered by CrowdStrike® and VMware Carbon Black delivers next-generation prevention with EDR capabilities powered by an elite team of cyberthreat hunters.
If you want to better understand incurred yearly endpoint risk that your organization uniquely faces, download our Making the Case for Advanced Endpoint Protection white paper.
