Large businesses with a small amount of full-time security experts pay almost three times more to recover from a cyberattack than those businesses with in-house expertise.
In March-April 2016, Kaspersky Lab conducted a survey about attitudes and experiences with cybersecurity was conducted of more than 4,000 company representatives in different industries and of various sizes. The findings show a general shortage in full-time security staff and expert talent availability, which calls for the need for more specialists in the field.
The research also shows that large businesses hiring outside help pay between $1.2 million to $1.47 million to recover from a cybersecurity incident, compare to those large businesses who have in-house skilled IT security experts. Those with crisis management in-house pay between $100,000 and $500,000. This is due to a significant amount of recovery costs going toward additional staff wages to hire external expert help—on average costing $14,000 for SMBs and $126,000 for enterprises.
“In this evolving industry the relationship with our customers already goes beyond the shipment of a technology or a product—to providing the skills and training necessary to identify on-going attacks,” said Veniamin Levtsov, vice president, enterprise business at Kaspersky Lab. “Sharing detailed research about attacks on other businesses, in the form of intelligence reports, is also necessary, along with actionable, machine-readable data about on-going threats. Solving the different challenges of threat prevention, detection, incident response and prediction requires a lot of flexibility and experience and we are dedicated to helping grow the security expert workforce around the world.”
Generally, businesses, large and small, don’t have the full-time security expertise to properly handle an attack on their own. Only 15% of the employees in an IT department of a large company are dedicated to security. For example, in a large business, that equals 39 specialists in a typical team of 220 experts managing all aspects of the infrastructure. For SMBs, there are only two security experts out of a team of 16 IT professionals. With an average of 315,000 malware threat detected on a daily basis, businesses need to reconsider proactively enhancing their security defenses.
Surprisingly, nearly half (48%) of businesses admit there is a talent shortage and a growing demand for more specialists (46%). Proactively hiring new staff to employ experts before an incident, rather than bringing them in to pick up the pieces, significantly lowers the average IT costs and helps better protect the business.
Citing complexity of IT infrastructure, compliance requirements, and the overall desire to protect business assets, companies are willing to grow their security intelligence. In fact, for a third of businesses, the improvement of specialist security expertise is one of the top three drivers for an additional investment in IT security.
The good news is that overall, 68.5% of companies expect an increase in the number of full-time security experts, with 18.9% expecting a significant increase in headcount.
“Higher education is an important part of fulfilling such a demand, but this is also a call for a change within the security industry itself. One of the solutions is to aid universities with relevant experience,” the report noted. “Another very important long-term solution is to adapt R&D efforts towards the effective sharing of intelligence with corporate customers in the form of threat data feeds, security training, and services. A proper combination of security solutions and intelligence is what allows corporate security teams to spend less time and money on regular cybersecurity incidents and focus on strategic security development and advanced threats.”
Photo © Stuart Miles