Gavin Hill, VP of strategy at cyber-security company Bromium looks at how healthcare organisations can estimate return on investment (ROI) against costly cyber-attacks.
Cyber-attacks are not just an IT problem, they impact your whole business. A Department of Health and Social Care report published following the 2017 WannaCry attacks states £150 million has been allocated to identify additional cyber investment between 2018/19 and 2020/21. This is a huge warning to healthcare providers, who need to bolster security and invest in the right security tools to safeguard their operations.
Though many would argue that cybersecurity is essential, it is notoriously difficult to get sign off. Unless a hospital has just suffered a devastating attack, it’s difficult to justify the investment in security tools and explain the cost savings and improvements in the trust gained from preventing a data breach.
Furthermore, it’s challenging to calculate a true total cost of ownership (TCO) for security tools. Initially, there are the upfront costs of the security technology (software and/or hardware), plus the licensing fees. However, security tools that rely solely on detection carry a hefty hidden cost – thousands of security alerts that must be triaged every week, often costing millions in labor. As a result, even if healthcare providers get the funding for cybersecurity tools, Security Operations Centre (SOC) teams are typically stretched to breaking point, putting the patient data at risk.
Executives need to build business cases that accurately reflect the value of their security stack, as well as the TCO and impact that those technology investments have on IT teams.
Someone probably did get fired for choosing IBM
IBM used to play on the fear, uncertainty, and doubt of buying something outside the norm with the phrase “nobody ever got fired for choosing IBM.” Today’s vendors are still playing this mind game, particularly in cybersecurity, creating uncertainty when deciding what security tools to invest in and encouraging people to go with the norm, namely tools that rely on detection alone.
First, let’s look at the average cost of detect-to-protect security. Our research has found that organisations are investing $345,300 every year on detect-to-protect tools, with most of them adopting layered defences. Breaking this cost down, organisations are spending:
- $159,340 (£122,762) on advanced threat detection
- $44,200 (£34,053) on AV solutions
- $29,540 (£22,758) on whitelisting and blacklisting
- $112,340 (£86,551) on detonation environments
While it is important to invest in layered defences and protect against opportunistic known threats, the costs are eye-watering and investing in these tools alone will never provide the protection needed to defend against today’s advanced threats.
Cybercriminals are also becoming more efficient at evading detection with new evasive tactics, techniques, and procedures (TTPs) like malware designed to lie dormant until spurred into action by a human activity, or develop something new that NGAV will miss. NGAV absolutely serves the purpose of detecting and stopping known threats, and should not be forgotten. But, the whole premise of investing in detection-based protection alone is shaky at best, and at worst, irresponsible.
Anti-virus can also slow down workloads, with Moffitt Cancer Centre replacing anti-virus after causing layered patient images from loading quickly. In other words, software that was designed to protect devices from malware was negatively affecting the radiologists’ ability to do their jobs.
Calculate your TCO to avoid a sting in the tail
It is not just the upfront costs of tools that healthcare providers should consider when making a purchase. Our research also found that detect-to-protect tools are drowning SOC teams with more than 1 million alerts every year. This deluge of alerts is triggering workforce could create costs running into the millions, spent on triage of threats, rebuilding compromised machines, and issuing patches. Potential costs like these means there are a few things to ponder when considering your security investment.
First, you want your team to be alerted to real threats to the business, and not swamped by false positives. On average, SOC teams are spending 413,920 hours per year triaging alerts. It’s often impossible to understand the nature of an alert until it has been entirely investigated. This is a time-consuming task that greatly impacts workforce costs which for hospitals is simply not feasible to pay.
Second, security leaders must consider how much time and resources will be spent on rebuilding compromised machines which could further propel cost. Based on our research, SOC teams are repairing an average of 50+ compromised devices every month. This is because detect-to-protect tools only detect threats after the fact, meaning hospitals and their organisations have to spend time after an attack has occurred rebuilding owned machines.
Finally, ask yourself, can your cybersecurity see what threats are coming? The threat landscape is constantly changing, and many security applications can’t protect you against unknown threats. Detect-to-protect can defend you from what has already been discovered, but anything beyond that leaves you at risk of being owned. You need to be safe in the knowledge that you can defend yourself from any threats that come your way – future proofing your investment.
Don’t invest in something that isn’t up to the job
Ultimately, it is important to question our reliance on detect-to-protect tools and start looking at new ways to defend the enterprise that will stretch budgets further and reduce the chance of a breach occurring. Innovative technologies, such as application isolation and control augment the existing security stack to stop new threats, helping health organisations focus on protection, rather than detection only. This approach uses virtualisation to isolate every application in a protective enclave, so that even if malware does pose a threat, it is contained in a virtual environment – the malicious program has nowhere to go and nothing to steal.
This not only helps to reduce risk to the hospital or research centre, it decreases workforce costs by negating the need to rebuild compromised machines, putting an end to false positives, and providing detailed threat information that can be used to protect the healthcare enterprise at large. Importantly, this approach also provides vital reports that show how many threats have been stopped which would have otherwise infected the enterprise, demonstrating cybersecurity’s cost-effectiveness.