Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Secure your productivity on any device, anywhere, any time.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Discover how Six Degrees has driven success for others.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » A Cost-Benefit Analysis Approach to Cyber Security
This was never more true than in 2020, when COVID-19 disrupted the way organisations worked and prompted a growing reliance on technology — creating vulnerabilities that translated into an increase in cyber-attacks.
Protecting your organisation’s network is all about taking calculated risks and reducing threats. That’s why, in addition to making the right investments, a smart cyber security and threat mitigation strategy should account for uncertainty by emphasising agility and supporting continual assessment.
But how can you ensure that you’re making space for uncertainty in your strategy, as well as communicating its importance to the board? In most cases, the best way is through embarking upon a thorough cyber risk assessment and cost-benefit analysis.
Suggested reading: If you need help explaining cyber security to leadership, check out our free toolkit — Board Presentation Template: Cyber Security and Threat Management.
Cost-benefit analysis (CBA) is a method used to evaluate a project by comparing its losses and gains — essentially a quantified and qualified list of pros and cons. CBA is a useful way to assess business projects because it reduces the evaluation complexity to a single price figure. As you can imagine, this makes CBA an invaluable tool when it comes to explaining the intricacies and selling the value of a robust cyber security strategy to key stakeholders.
Pro tip: Today’s executives report being more open to new cyber security strategies than ever before. In 2020, 50% of executives said that they were willing to consider cyber security as a factor in every business decision (compared to only 25% the previous year). Use this as an opportunity to build foundations that will help create a sustainable and safe future.
One of the most important things to emphasise in your CBA is the inherent trade-off between paying to prevent a mess versus paying to clean up a mess. In 2020, attacks cost governments and businesses a whopping $1 trillion — that’s 1% of global GDP. For individual companies, the average cost of a single data breach stood at $3.6 million. While UK insurers now offer cover for ransomware demands — relieving some of the financial pressure on businesses — the ‘hidden’ costs of an attack can still have a devastating effect on operations and a company’s bottom line. For instance:
Of course, investing in preventative cyber security measures also comes at a cost. In 2020, global spending on cyber security reached an estimated $123 billion. By 2022, this number is on track to top $133 billion.
With that said, there is no reliable way to measure a ‘typical’ cyber security budget, as spending varies from business to business and industry to industry. A Gartner report indicates that the average company spends anywhere from 1% to 13% of its IT budget on cyber security. In the often-targeted financial service sector, that figure stands at around 10%. Amongst large enterprises, 50% spend at least $1 million on cyber security each year, with another 43% spending at least $250,000.
Despite these variations, one thing remains crystal clear: for most businesses, the cost of prevention pales in comparison to the cost of a breach.
If you’re serious about proving the value of investing in a strong, agile cyber security system to stakeholders, the best place to begin is with a risk assessment. A cyber security risk assessment is about identifying your business priorities, determining the risks you are willing to accept and comparing those with the benefits.
Undergoing a risk assessment requires you to answer key questions, such as:
The answers to these questions will form the foundation of a robust strategy — and they’ll also give you the information you need to complete a CBA so that you can more persuasively sell this strategy to the board.
Remember, applying a CBA to your risk assessment is all about determining the risks you are willing to accept and comparing the costs of those risks against the benefits. This involves thinking about the direct and indirect risks you face, as well as the direct and indirect costs that could arise as a result of taking these risks. Examples of each include:
It’s helpful to think about both direct and indirect factors when applying a CBA to your risk management strategy. For instance, you might compare:
Much of a CBA involves coming up with options that you could undertake to achieve your project’s objectives — so you’ll want to keep breaking things down and playing with various risks, costs and outcomes. For instance, you might look at the costs vs benefits of factors like:
Strategising effectively is all about placing risk within the context of your own business and its unique appetite for risk. However, you’ll probably start to see a pattern emerge: preventative cyber security measures usually more than pay for themselves — particularly if approached in a cost-effective way.
Pro tip: To really highlight a cyber security strategy’s value to stakeholders, you might also find it helpful to include a ‘do nothing’ or ‘do minimum’ option.
At the end of the day, you should always be looking for the most effective way to deliver the outcomes you need. There is generally a cost/benefit trade-off between investment and risk. However, not all investments are equally costly.
For example, endpoint security systems partnered with managed detection response (MDR) services, such as those we offer at Six Degrees, are a great paired solution that delivers increased security and agility at limited cost. MDR and endpoint is also an ideal response to the challenges created by remote working and remote access that are likely to define much of 2021 and beyond.
To learn more, read What is MDR?
Simply put, upfront investment with strategic partners delivers more robust security outcomes than the alternatives. One of the greatest benefits of forming a strategic partnership with a managed service is that they provide access to economies of scale, allowing you to sidestep the cyber security skills shortage.
In addition to delivering on-demand talent, working with a service provider enables you to:
Pro tip: Full protection is never guaranteed. In the unfortunate event of an attack or failure, savvy management and effective response can significantly reduce the impact on your business — another instance of the benefit outweighing the cost.
Risk management is all about managing uncertainties. When it comes to preventing costly attacks, there’s significant value to be found in investing upfront in order to avoid paying a higher price later.
Ultimately, cyber security is a journey, not a destination. Any investment you make should be agile and flexible enough to meet both current and future demands. Six Degrees offers the capabilities and expertise you need to ensure business continuity in 2021 and beyond.
Ready to learn more about how we can keep your business secure? Get in touch today!
As the UK continues to phase out 3G…
Whether they admit to it or not, most…
We are proud to announce that Six Degrees…
The Digital Operational Resilience Act (DORA) entered into…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.
