Risk & Security

5 Charts That Show It Pays to Prevent a Cyberattack Rather Than Fight One

A new cybersecurity survey reveals that even simple defensive measures (we’re talking just basic cyber hygiene) can make a big difference.

In the daily battle against cyberattacks, it is far better to prevent a hack than to pay the price afterward.

The average cyberbreach cost $4.2 million in 2021, according to research from IBM and the Ponemon Institute. Preventive cybersecurity measures like threat detection, endpoint security, and patch management can cost much less, depending on the robustness of the effort and the size of the enterprise.

In fact, 85% of leaders whose organizations have been hacked agreed that it costs more to recover from a cybersecurity incident than to prevent one, according to the 2022 survey of more than 250 IT security decision-makers that Arlington Research conducted for Tanium. The companies surveyed had 250 or more employees and operated across a range of industries in the U.K.

Download the report: Cybersecurity—prevention is better than the cure.

“Many damaging security incidents could have been prevented,” says Oliver Cronk, a chief IT architect at Tanium. “There are a lot of headlines about sophisticated attacks that leverage techniques such as zero days and artificial intelligence, but over half the breaches that I see could have been prevented by maintaining baseline cyber hygiene standards. The current situation is the equivalent of leaving your front door and windows open and only locking them after a burglary has taken place.”

The charts below highlight the key issues facing IT leaders.

Cybersecurity threats are rising (thanks, hybrid work)

Unfortunately, the worst is yet to come, according to survey respondents. Eighty percent of C-suite decision-makers surveyed believe the risk of cyber threats is increasing. They expect 2022 to be the worst year yet for attacks.

Nearly three-quarters (71%) of senior leadership agreed that their organization’s IT security team was finding it more difficult to protect against threats in the hybrid work environment, compared with before the COVID-19 pandemic. Most companies focus more on physical security than cybersecurity, respondents said. But the pressure is on leaders to step up their game: The boards of surveyed companies are reportedly much more focused on cybersecurity than they were before the pandemic.

Cybersecurity incidents that “needed to happen”

The survey uncovered some hard truths about the attitude of organizations toward cybersecurity. Of those respondents who had experienced a cyberattack within the last six months, 86% believed senior leadership was likely to invest in cybersecurity only after suffering an attack.

And 75% said that “some cybersecurity incidents needed to happen” in order to get increased investment from leadership. A change of mindset is needed within senior leadership, which can only be achieved if IT teams look for opportunities to restore a healthy balance between reactive and preventive measures.

[Read also: As cyber crisis mounts, CISOs and boards must learn to communicate]

Cyber hygiene is vital, say cyberattack victims

Preventable causes of cyberattacks include clicking on a phishing link, failing to password-protect sensitive data, or leaving open a vulnerability in an unpatched device, all things that could be significantly reduced with proper cyber hygiene.

For example, the typical business network has a broad attack surface, including computers, servers, databases, virtual machines, mobile devices, operating systems, applications, and tools. If these resources aren’t regularly and properly maintained, data can be lost or misplaced, software can remain unpatched, and user privileges can grow outdated.

[Read also: How global power leader Cummins embraces cyber hygiene]

Staffing is a critical factor in prevention. Half of all respondents agreed they did not have enough staff or resources to invest sufficiently in preventive security measures. Public-sector organizations had the highest gap in staffing available to focus sufficiently on cybersecurity preventive measures (60%), followed by technology and telecom (54%), healthcare (52%), and education (52%) organizations.

Cyber hygiene boasts major dividends

Organizations that had taken a mainly preventive approach to cybersecurity were significantly less likely to have experienced
a cyberattack or data breach within the last 24 months, the
survey found.

It’s no wonder that almost seven out of 10 respondents believe that a predominantly preventive approach to cybersecurity is best (68%). Larger organizations were more likely to adopt a preventive approach, with 70% of organizations with 500 or more employees claiming prevention as their preference, versus 60% with 250 to
499 employees.

Risk scoring, threat hunts, and other smart investments

There’s more good news in the survey. “The evolution of risk analysis tools is making it easier to prevent cyber threats,” said 81% of respondents. Risk scoring and threat hunting tools are other promising areas for investment.

Still, organizations often only increase their spending on cybersecurity tools and approaches after a cyberattack. Those that have experienced a cyberattack within the last six months are more likely than average to increase their spending on the tools and strategies listed above over the next fiscal year.

Given human psychology, the last finding—that leaders too frequently get their security house in order only after it’s been breached—is the least surprising of all. But it’s a common reactive approach most easily avoided with better prevention.

Mickey Butts
Mickey Butts is a senior editor for Endpoint. He was formerly a founder and executive editor of The Industry Standard magazine, and has written and edited about technology for Wired, The Financial Times, Businessweek, Harvard Business Review Press, The Information, The Boston Consulting Group, and T Brand Studios of The New York Times.