How Much$ Can Good IT Security Save You?

ciscovni2015

http://oversitesentry.com/cisco-vni-says-3x-more-data-by-2019/ Above image is from my post May 31, 2015 – as Cisco surveyed data traffic 2014-2019 (going up – Internet traffic will triple)

We know there will be more Internet traffic in the future, so how much do we spend on securing our networks?

 

 

To keep it simple, let’s pretend there is a company with $100,000 in sales (which is very small company).

Let’s make an assumption that criminals are out to steal information, resources, and your money.  (information may be your client base, may be your personal information)  (resources is your computers on the internet – criminal hackers are always trying to use other peoples computers to make money)

So lets say if a criminal is successful they will steal $500 – $1000 per month. As the criminal can install ransomware more than once and on several computers, or can steal resources of your computers all the time.

What is the value of a computer running on the Internet?  To you it has value, but to the criminal hacker it has a different value. If it is a spam server, or part of  a botnet, trying to obtain Bitcoins and more.  So I am generalizing this $number to a $1000.

 

This number ($500)  is not taken out of thin air – as Ransomware charges  $500 to get your files back. the reason i say monthly, because there is a chance every month that criminals are successful in attacking you.

 

Here is an old post (Jun11) which discusses 1000% ROI on ransomware & exploits by criminals:

http://oversitesentry.com/criminal-hackers-have-1000-roi-on-ransomware-exploits/

 

I have used Brian Krebs’ hacked computer value  image to what an email account would be potentially worth to a hacker to create this image.

fixvirus-com-hackedemailaccountworth

What if your computer is used as a child pornography server? What is the value of that? I have no idea of  the dollar amount, but the PR and jail term associated has a value hard to quantify in dollars.

 

So getting back to our fictitious $100,000 sales company (per year).

If a Ransomware of $500  could happen once per month. could mean as much as $6,000 in a year up to $1000 per month or $12,000 in a year.

So the ransomware/ criminal could affect in real dollars 6% – 12%  of sales

  • If we also estimate PR effect of 10% (10k) cost of notifying media at minimum,
  • Information cost of 10% (10k) due to the cost of telling people of the breach which is now legally mandated.
  • Resource cost – losing opportunity costs of using the computers  6% (6k)

Sales – Maximum criminal hacker cost   $100k – $32k = $68k

100ksales-costofcriminalhacker

In case your files were scrambled or the hackers had access to your computer I created the image because the actual ransomware is a minimal cost -PR, information, and resources lost.

Would a $1 mil sales company translate to 6% of sales? or would it be $6k – $12k criminal “cost” to a $1 mil in sales which means 1.2% of criminal cost.

 

The cost can obviously be higher than $12k when one has more clients in a database, the criminal can steal more data value.  And of course the value of PR could be higher  with each million $ amount.

So if we stick to 6-12% criminal “costs” then each million dollar amount can cost $60,000 – $120,000 for an ‘incident’.

A $3mil sales company can now jump into the quarter million+ dollar range. ($180k – $360k)

 

It is always hard to quantify the savings of a criminal hacker thwarted, but using 6-12% is a good general tool to think about the potential budgets for your security department.

 

When the security department works and you have no criminals at your door,  the security department is saving you tens of thousands of dollars.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.