Some might hesitate to invest in cybersecurity. Some do not think they need it – “it will not happen to us”. Some say they do not have the budget. But what if the alternative cost of a cyberattack would be higher than having invested in sufficient protection? Well, the fact is that you might lose more if not investing in cybersecurity, for example money, reputation, and downtime. We will explain how investing in cybersecurity can save you money and what a data diode can spare you!
What is a data diode?
A data diode is a cybersecurity solution that ensures unidirectional information exchange. This high assurance hardware device maintains both network integrity by preventing intrusion, as well as network confidentiality by protecting the most security sensitive information. A high assurance data diode protects assets for operators within critical infrastructure (ICS/SCADA) and defence industries. However, along with digitalisation and the increase of sophisticated cyberattacks, every organisation that operates with sensitive information has great use of a data diode to protect its valuable information and securely exchange data.
How does a data diode work?
Data diodes are the failsafe way to protect sensitive systems and confidential data. Data diodes are hardware devices, also called “unidirectional security gateways”, which sit between two networks. Working like a check valve, the function of a data diode is to allow all data to pass in the forward direction, while blocking all data in the reverse direction. And as it is not software, it cannot be directly attacked by malicious code, which results in high assurance.
Investing in a data diode
It is time to take security seriously to avoid high risks and costs that could be much more than investing in building a security-conscious organisation. Businesses today are direct targets for many cyberattacks and companies that depend on IT systems for operation, monitoring and governance are particularly vulnerable. Not having sufficient protection for your sensitive networks and systems can result in high costs.
To invest in a data diode is to invest in a high security solution – it cannot be compared to regular measures for IT security. If you need to transfer information to or from a security sensitive network, “regular” IT security is not the only solution you have to choose from.
What the alternative cost can become
First of all, having sufficient cybersecurity can protect you from ransomware, data leakage, data manipulation and so on. There are plenty of examples just during the past year where companies have been struck by attacks that have caused large costs. An attack can become very expensive, for example you can lose money due to:
- Downtime affecting your operations
- Lost revenues
- Restoring and cleaning up systems
- Lost trust/goodwill
An average cyberattack in 2021 could cost around USD 3.86 million to USD 4.24 million. So, protecting yourself against this is more than important. It is vital.
Many might think “We have our firewall, what else can we do?”. But, if you have information or systems that are crucial to your organisation, perhaps your whole operation depends on it, you may find it appropriate to mitigate your risks and invest in a high security solution. Many networks require extra protection against manipulation and data leakage as they contain classified or sensitive information. If these networks/systems are exposed for an attack, a firewall will probably not protect you from having to spend a lot to recover.
In addition, there are several laws and regulations which requires that you have sufficient protection of sensitive information and systems – for example the NIS Directive. In Sweden, another law that can affect how you must protect your sensitive information is the Protective Security Act. If you have not practised due care in your own organisation, or on your outsourcing partners, you can receive a penalty fee of up to 50 million SEK. Quite an expense for not complying. A recent example of having to pay a fine is region Uppsala, who sent sensitive personal details unencrypted to recipients abroad. This cost them 2 million SEK.
Calculating the cost of security, or not having security
Cyber Risk Quantification (CRQ)
Since cyberattacks are increasing, there is an increasing need for cyber risks to be measured and reported in financial terms. Business leaders want to know more about the risks that they face and what the costs could be. To do a Cyber Risk Quantification (CRQ) means to prioritise risks according to their potential for financial loss, thus allowing responsible people in a company to create budgets based on mitigation strategies that afford the best protection and return on investment.
In a CRQ, you look at the economic impact of cyber risk on your business, but also on more intangible yet fundamental areas like customer satisfaction, employee engagement, reputation management, brand protection or supply chain management. All these are risks that may cost you money in the end. The risk cost is the probability of a certain consequence times the cost that consequence has. So, for a consequence that would cost the company or organisation 1 MSEK and has a probability of once every ten years, the risk cost is 100 000 SEK/year. The protection for this particular risk should then not be more than that amount.
Return on security investment (ROSI)
Return of security investment (ROSI) is about calculating what the lack of security can cost and what the most cost-effective solutions are – this to be able to know what they should spend on security. This calculation can lead to the following questions:
- Are we paying too much for our security?
- What financial impact could a lack of security have on our productivity?
- When will our security investment be enough?
- Is this security product or service beneficial?
You can calculate the ROSI with the formula below. You will get a percentage of your return of security investment. It is based on Annualised Loss Expectancy (ALE), estimated risk mitigation, and cost of the solution:
(Monetary loss reduction – Cost of the solution) / Cost of the solution
Where Monetary loss reduction is the difference of the ALE without the security solution versus the ALE with after implementing the security solution.
For example, assume ALE is 100 000 SEK/year without the security solution and that it goes down to 10 000 SEK/year with a security solution that costs 25 000 SEK/year:
(100 000 – 10 000 – 25 000) / 25 000 = 260%
Protect your organisation from attacks and financial loss
So, we have established that not investing in sufficient cybersecurity can end up costing more than being exposed to an attack. But what it really look like? In this example, we will use the ROSI model.
A company has decided to protect their sensitive operative systems from malware and to enable export of measurement data in real time. They have decided to invest in a data diode.
In this example, the data diode costs 200 000 SEK and is followed by a yearly MSA of 25%. The installation cost is 10 000 SEK and the yearly cost for maintenance is 20 work hours.
On the contrary of using a data diode, when using a USB stick to transfer information in an air-gapped environment it is quite certain that you will be get malware into your system once every five years. There is anti-virus control within the operational system, but that costs a days work to clear and investigate. Once every 20 years, the virus spreads to the operational system and causes a day’s downtime. This downtime, and reparation of the system, costs 5 000 000 SEK.
Investing in a data diode would result in the following:
ROSI: 132,7%
Savings of manual management: 132 600 SEK
Savings of mitigated risk: 143 280 SEK
So not only do you get a ROSI of 132%, you also save money from the manual labour of virus-scanning and handling portable media and you can have your personnel doing more productive things.
We can help you find the solutions you need!
Do not hesitate to contact us!