Despite its countless benefits, the internet can be a hostile place for business. As organizations continue to expand their digital footprints, moving workloads into the cloud and growing their network of devices, they leave themselves vulnerable to a rapidly evolving cyber threat landscape.
Gartner’s number one cybersecurity trend of 2022 was “attack surface expansion” – organizations increasing their digital presence to leverage new technologies and facilitate remote and hybrid working. As of 2023, almost 13% of full-time employees work from home, with over 28% working a hybrid model. At the same time, As per Check Point’s Threat Intelligence Report, in India, an organization is being attacked on average 2146 times per week in the last 6 months, compared to 1239 attacks per organization globally.
In this connected world, innovation breeds risk – and in order to capitalize on innovation in a financially responsible way, that risk needs to be carefully managed. The problem is that cyber threats are moving targets, with countless variables that can be difficult to quantify. That means the efficacy of any cybersecurity solutions is hard to measure. One of the pivotal metrics that has emerged in recent years is the “catch rate” of security solutions. But what exactly does this rate signify, and how does it translate to the broader financial landscape of an organization?
Demystifying catch rates
At its core, the catch rate of a security solution offers a quantifiable measure of its capacity to detect and deal with various cyberattacks. These rates are typically awarded by independent test labs, providing an unbiased assessment of a solution's performance. For instance, if a security solution boasts a catch rate of 95%, it signifies its efficacy in detecting and neutralizing 95% of all cyber threats during its testing phase. However, this also leaves a residual risk of 5% that organizations need to be aware of.
This 5% “exposure” may not seem significant at first glance, but the financial ramifications can be profound. By combining data from various sources, such as the IBM 2023 Cost of a Data Breach Report and insights from Check Point Research, the cost of residual risk becomes clearer.
Measuring exposure to risk
Let’s consider phishing as an example. The number of phishing attacks rose by 47% in 2023 alone, with the US and the UK the top two targeted countries, and research suggests that 90% of successful data breaches begin with a spear phishing attack. According to recent reports, phishing attacks have surged in India in 2023. Around 30 million individuals in India are susceptible to phishing attacks, with an estimated 500,000 individuals at risk of falling victim to scammers, as reported by Tanla Platforms.
Spear phishing is a targeted campaign where the attacker customizes the deceptive message to mirror a specific individual or organization, often using personal details to make the attack more convincing. While phishing casts a wide net to entrap any unsuspecting victim, spear phishing is aimed directly at a chosen target with a tailored lure.
Now consider an organization that faces 1,258 phishing attempts every week. With a 16% attack frequency, this amounts to 201 potential breaches. The average cost of a successful attack, as reported by IBM, currently stands at $4.76 million. If we factor in the click probability, which currently stands at 18% for trained employees and 35% for those untrained, the financial implications of the residual risk are huge.
We can calculate the probable cost of the remaining risk using the following sums:
Cost of customer risk per breach: Avg cost per breach * Remaining risk
Number of phishing events per week: (Attacks per week * Attack frequency) * Remaining risk
Probability of trained employee clicking on phishing event: Number of phishing events * Click probability
Cost of remaining risk per week: Cost of customer risk per breach * Probability of employee clicking on a link
If we apply these calculations to the typical scenario outline above, the difference in the “weekly cost of residual risk” for a 5% catch rate versus a 10% catch rate is stark: $431,000 versus $1.72 million. That means that extra 5% could cost an additional $1.3 million in terms of risk.
The importance of catch rates
Considering the cost of ‘risk’, organizations need to evaluate catch rates carefully when choosing cybersecurity solutions and partners. As with any financial investment, they need to measure their exposure to the market. In other words, how likely their cybersecurity solution is to fail, what it might cost, and whether those costs can be weathered.
The problem is that catch rates have been typically downplayed. Perhaps that is because they are not understood by CIOs or CTOs, or perhaps it is because it is simply not in the best interests of cybersecurity vendors to disclose them. There is currently no legislation mandating that they need to be upfront about their solution’s catch rates, but organizations are always free to ask and listen carefully to the response.
Beyond the catch rates
While catch rates can be a crucial metric, cyber risk management is of course a multifaceted endeavor. It requires close communication between various stakeholders including employees, supply chain partners, banks, insurance companies, and even governments. Each entity in this ecosystem has a role to play, and their actions or inactions can have cascading effects.
Some of these stakeholders and variables are beyond the control of organizations. They can train their teams, choose their cybersecurity partners wisely (factoring in catch rate), and have the right insurance options in place, but they cannot control everything.
Additional steps that organizations can take to fortify their cyber defenses include:
Embracing a Zero Trust Architecture: This approach operates on the principle of “mistrust by default”, ensuring rigorous verification for every access request, irrespective of its source.
Optimizing Business Processes: By integrating security measures into their core processes, organizations can minimize vulnerabilities.
Engaging with MSSPs: Managed Security Service Providers bring to the table specialized expertise and resources that can bolster an organization's security framework.
Prioritizing Training: Employees can be a formidable first line of defense if adequately trained. Recognizing threats, especially in domains like phishing, can drastically curtail risks.
Cybersecurity can feel like a chess game, with numerous variables in play. Metrics such as catch rates are important and offer valuable insights into the efficacy of a solution, but they are just one piece of a much larger puzzle. By using that measurement as part of a holistic approach to cyber risk management, organizations can not only safeguard their digital assets but also ensure their financial stability in the face of ever-evolving cyber threats.
By- Harish Kumar GS, Head of Sales, India and SAARC, Check Point Software Technologies