Enterprises are spending more than $16 million – each – per year on detection-based security, thanks to surging hidden costs.
More specifically, initial, upfront licensing and deployment investment in security-detection tools like antivirus is dwarfed by the cost of human skills and effort to manage and assess the millions of alerts and false-positive threat intelligence generated, according to new analysis.
A survey from Bromium, which polled 500 CISOs from global enterprises, found that organizations invest about $345,300 per year on these kinds of tools, yet the average annual cost to maintain detect-to-protect endpoint security spirals to more than $16,714,186 per enterprise because of hidden human costs.
The solutions that organizations are spending money on up front vary and include: advanced threat detection (annual spend $159,220); next-generation and traditional antivirus (annual spend $44,200); whitelisting and blacklisting ($29,540 annual spend); and detonation environments ($112,340 annual spend).
However, labor costs are soaring as a direct result of detection-based technology failures: security operation center (SOC) teams receive more than 1 million alerts every year, but 75% are false positives; SOC teams thus spend 413,920 hours per year triaging alerts, an additional 2,448 hours rebuilding compromised machines, and 780 hours on emergency patching. All together, that’s 417,148 hours per year, resulting in an annual labor cost of $16,368,886 per enterprise
“Detection requires a patient zero – someone must get owned and then protection begins. Yet, because of this, rebuilds are unavoidable; false positives balloon; triage becomes more complex and emergency patching is increasingly disruptive,” said Gregory Webb, CEO, Bromium. “It’s no surprise that 63% of the CISOs we surveyed said they’re worried about alert fatigue. Our customers tell us their SOC teams are drowning in alerts, many of which are false positives, and they are spending millions to address them.”
Aside from the expected upfront expenditures, during evaluations CISOs need to be asking questions that uncover the hidden costs, such as:
- Where are most of the attacks happening?
- Are advanced threats getting through current defenses?
- Is employee productivity negatively impacted by current security measures?
- How many alerts are being generated? Of those, how many are false positives?
- Is it likely that machines will still become compromised and need to be rebuilt?
“Meanwhile, advanced malware is still getting through because cybercriminals are focusing on the weak spots, like email attachments, phishing links, and downloads,” Webb said. “This is why organizations must consider the total cost of ownership when making security investments rather than just following the detect-to-fail crowd.”