The costs of protecting identity

How much is your organization’s identity access security worth? With the average cost of recovery after a breach surpassing $1.6 million, according to a new study, it’s critical for organizations to balance the budgets for their cybersecurity needs.

Cybersecurity and threat intelligence company Sophos surveyed 5,000 IT and security leaders to understand how IT leadership is approaching issues around identity and cybersecurity. The report states 71% of organizations reported at least one identity-related security breach in the past year, with an average of three attacks per victimized organization.

Delinea defines identities as digital versions of employees that can access specific services and resources. As IBM details, threat actors target identities via phishing, credential theft, and more, with the goal of impersonating users and accessing systems. IT professionals can attempt to counter these attacks via stringent identity and access management (IAM) to manage users and access privileges.

John Shier, field CISO for Sophos, told IT Brew that organizations can’t ignore identity breaches, especially given the high costs of recovery. “That’s a lot of money, and in some instances, that money could be something that is very material to the business, especially when you’re talking [about] smaller, medium-sized businesses who just can’t afford this kind of thing,” Shier said. “They are also material to bigger organizations.”

Remediation costs could be dependent on the size of an organization. Shier wrote in an email that victims could incur incident response and forensic services, IT-related costs, downtime penalties, and post-incident investments.

“IT recovery and remediation costs for rebuilding systems, restoring data, and hardening controls after the attack,” Shier said. “Downtime and operational disruption costs represent lost revenue and interrupted business processes. Security uplift costs include post-incident investments in new tools, services, and improved readiness capabilities.”

The balancing act. Shier said that, before crafting a budget to secure enterprise IT, CISOs have to understand all of the risks, as well as the cost of mitigation, which can include technology, people, and other resources.

It’s not that organizations don’t understand the issue, Shier said, but rather that they face trade-offs. For example, a hospital system instituting cybersecurity measures like stronger authentication might risk slowing down patient care.

“Identity is really important, it’s just not always the most important in context to the business,” Shier said. “If it’s not central to the revenue generation or the delivery of your service, the investment decisions look a little bit differently sometimes.”

But identifying where organizations can effectively invest in identity protection and head off costs associated with recovery and mediation.

“Organizations don’t wake up every morning wanting better identity,” Shier said. “They want fewer support tickets, they want faster onboarding for new employees, they want smoother user experiences and lower costs, and sometimes identity is what actually makes those happen, but it’s not necessarily the end itself to those means.”

Saving by spending first. When protecting IT infrastructure against identity-based attacks, IT pros should look to eliminate friction, something that Shier said can wreck identity projects because of business priorities requiring that departments fix the most urgent things with the given resources, staffing, and money.

There’s also a need for preventative measures. Shier said organizations should incorporate continuous monitoring (for unusual login attempts) and similar tools. Additionally, Shier wrote in an email that investing in things like recovery capabilities can help in reducing post-incident costs

“Organizations reduce costs by detecting and stopping attacks earlier, limiting how far incidents progress and reducing downstream impact,” Shier wrote. “They improve outcomes by investing in incident readiness, including tested response plans and reliable, restorable backups.”

It’s also important for organizations to consider cybersecurity insurance against potential breaches. Shier suggested that identity protection could be critical in securing a policy, especially with insurance companies instituting stricter requirements.

“It’s a bit complicated, but it is a balancing act,” Shier said. “I don’t think that there’s a really great equation, or necessarily a rule of thumb that says you should do all this. It’s based on our business, our risk tolerances, our ability to respond.”