What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Jan 19, 2023
Increased Activity in Google Ads Distributing Information Stealers
THE THREAT On January 18th, 2023, eSentire Threat Intelligence identified multiple reports, both externally and internally, containing information on an ongoing increase in Google advertisements…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Dec 13, 2022
eSentire Named First Managed Detection and Response Partner by Global Insurance Provider Coalition
Waterloo, ON – December 13, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced it has been named the first global MDR partner by Coalition, the world’s first Active Insurance provider designed to prevent digital risk before it strikes. Like Coalition, eSentire is committed to putting their customers’ businesses ahead of disruption by improving their…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Mar 17, 2020

Quantifying Risk: Making the Case for Greater Endpoint Protection

6 minutes read
Speak With A Security Expert Now

As the coronavirus (COVID-19) continues to spread, the virulent disease has impacted our lives with restricted global travel, cancelled public and sporting events, and it compels employees to work remotely from home. We’ve seen a rise of fake coronavirus resources and websites as criminal elements take advantage of this situation. They know remote workers are not always as well-protected as ones behind the defenses of the mothership. In times like these, it becomes even more important to protect the laptops, tablets and other mobile devices used by your distributed workforce.

Quantifying Risk: Making the Case for Greater Endpoint Protection

In late 2018, the Ponemon Institute’s State of Endpoint Security Risk report stated that 34 percent of survey respondents indicated their endpoints had no protection. Unfortunately, this figure represents an increase compared to the 2017 report’s 28 percent. Perhaps unsurprisingly, the majority—64 percent—of survey respondents indicated that their organizations were compromised by one or more successful endpoint attacks in 2018. Again, this number reflects an increase over the previous year (54 percent).

From Cyber Risk to Financial Risk

While the cyber risk associated with endpoints is well-established, the financial risk—the minimum incurred yearly financial risk—is often considered in broad terms without sufficiently considering an organization’s characteristics.

To accurately determine the minimum incurred yearly risk of endpoints requires knowing multiple variables:

Probability of an Incident

Studies often site widely inaccurate claims around breach probabilities and their consequences. Lumping small and medium businesses (SMBs), enterprises and a broad range of industries into calculations results in inaccurate estimations that lack real-world context.

At eSentire, we created a risk propensity model based upon real-world observations (as opposed to survey results) of what we see bypass our clients’ existing security controls. The figure below shows, for a 12-month period and based upon an organizations’ number of sites, the probability of at least one incident that involves a bypass of existing endpoint security controls.

For illustrative purposes, we’ve shown three industries: finance, legal and healthcare.

The more sites an organization has, the higher the risk. This conclusion follows logically: the more sites, the larger the threat surface (endpoints in this case) and the more opportunities for attackers. To keep our model conservative, we assumed that each location is both independent and segregated from the others. That is, a breach at one site doesn’t make a breach at another any more likely, and a breach at one site does not spread laterally to another.

Conversion to Data Disclosure

While probability of an incident is important, conversion to data disclosure is critical for calculating risk. To continue with our illustrative purposes, finance, legal and healthcare organizations have observed incident conversion to data disclosure at rates of 22 percent, 23 percent and 65 percent. Notice the disparity between healthcare and the finance and legal industries. This is due in part to the nature of the data protected and the level of cybersecurity investment, especially around detection, response and recovery.

Calculating the probability of an incident and it resulting in data disclosure requires multiplying our two variables (probability of an incident X conversion to data disclosure rate). For our finance, legal and healthcare illustrations we will use the values for organizations with three locations. The resultant probability of an incident converting to data disclosure is:

Impact and Incurred Yearly Risk

Determining incurred yearly risk requires subjectivity from the organization at risk. To illustrate, the latest Ponemon Cost of a Data Breach Study reported that every record lost in a data breach results in the following cost:

No study can accurately project how many records an organization will lose if a data breach occurs. Leadership must determine, based on risk tolerance models, the projected number of records expected to lose in the case that a data breach occurs. For example, the below represents sample financial impact based on number of records lost:

Records Lost
























While these values are representative of when data disclosure does occur, it lacks application of risk of an incident and conversion to data disclosure over a 12-month period. To ultimately arrive at minimum incurred yearly risk (with at least one incident occurring), we must combine impact with probability of incident to data disclosure. The resultant minimum incurred yearly risk is:

Records Lost
























These values represent the minimum financial outlay organizations should expect over a 12-month period based on contextual risk.

Mismanagement of Risk

Despite an abundance of evidence that it’s just good business to invest in security solutions, many organizations wait until it’s too late. Rather than prudently managing financial risk by protecting endpoints, they respond only after incurring costs due to successful attacks.

This “wait and hope” approach manifests in inadequate security budgets. Gartner reports that the average organization spends $1,178 per employee on security, with only $124 of that figure dedicated to endpoint protection.

And, again despite ample evidence suggesting a different approach is needed, traditional antivirus remains the primary protection for endpoints—even though the Ponemon study shows that 57 percent of organizations recognize that traditional antivirus “does not provide adequate protection against today’s attacks.”

In fact, only 19 percent of respondents in the Ponemon report believe their compromise came from an “existing or known” attack, which might be caught by the traditional antivirus solutions receiving the bulk of endpoint security investments.

In contrast, 76 percent of respondents attribute their compromise to a “new or unknown zero-day attack”—exactly the type of attack that can be detected and mitigated by advanced endpoint protection capabilities.

Endpoint Protection: Beyond Traditional Antivirus

While endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solution adoption continues to increase, effectively operationalizing, monitoring and hunting threats has proven problematic across resource-constrained organizations. As a result, endpoint breaches have been on the rise and will continue their trajectory due to increases in remote workers, mobile endpoints and cloud adoption.

As security leaders and practitioners have come to realize, making the case for additional security investment proactively is a challenge. Broad endpoint studies that lump enterprises and SMBs together cite overinflated costs and lose credibility.

As security personnel attempt to make the case for additional investment, and leaders are weighing decisions, we encourage careful consideration of:

If you find your organization is at substantial risk of an endpoint attack, or if you’d simply like assistance understanding and quantifying the risk, then we would be happy to help. Our esENDPOINT service, powered by CrowdStrike® and VMware Carbon Black delivers next-generation prevention with EDR capabilities powered by an elite team of cyberthreat hunters.

If you want to better understand incurred yearly endpoint risk that your organization uniquely faces, download our Making the Case for Advanced Endpoint Protection white paper.

View Most Recent Blogs

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.