May 21, 2020 Elexon Ransomware Attack Highlights the Need for Risk-Based Cybersecurity Investment
Last week Elexon, a UK electrical energy-market company, was reportedly hit by a ransomware attack. Elexon operates in the energy market, monitoring trading between power station operators and electrical distributors and reconciling the differences. Elexon says its IT systems and email are down, and most cybersecurity specialists are (pending official confirmation) treating the attack as ransomware.
The high-profile ransomware attack draws attention, yet again, to the need for risk-based cybersecurity investment.
Most companies underinvest in cybersecurity, because they use obsolete formulas for determining how much to spend. One common one is “percentage of IT budget”, which various pundits recommend (a typical spend is about 4% of the IT budget).
This is the wrong approach.
Companies aren’t investing in cybersecurity to protect their IT infrastructure and applications. They’re investing in cybersecurity to protect the company. That means the right way to think about cybersecurity investment is a risk-based approach, meaning that you need to look at the impact on the company if there’s a breach.
A ransomware attack highlights this issue very well. The true cost of ransomware isn’t the cost to fix the affected systems. It’s not even the cost of the ransom (should the victim elect to pay). It’s the cost of downtime, which (depending on the company and industry) can be millions of dollars a day. That’s far more than the total IT budget for most companies–which is why the “percentage of IT budget” measure for guiding cybersecurity investment is flawed.
Instead, CISOs should rely on a risk-based approach. In essence, the goal of a risk-based approach is to properly track the ROI of a cybersecurity investment: An investment in hardware, software, staff, or services of X dollars should reduce risk by 10X dollars (or whatever the company’s desired ratio is). Companies should also be able to tie their cybersecurity investments to a decrease in MTTC (mean total time to contain) a security incident, which is a measure of the effectiveness of the investment, as we discuss in this webinar.
Nemertes has devised a risk-based approach for assessing the value of cybersecurity investment. We’ve presented this at RSA and were asked by NIST to incorporate into the framework; we also develop customized risk frameworks for clients. If you’d like to learn more about how we can help, please contact us here.
Bottom line: Invest appropriately to protect your firm from threats like ransomware. And measure the value of your cybersecurity investment based on risk reduction, not a bogus metric like “percentage of IT spend”.