Budgeting for Attacks

By Jodi Mardesich

The damages wrought by cyber attacks can be devastating. Malicious code spread unwittingly through innocuous e-mail has brought down a bank's ATM network, canceled airline flights, crippled public utility companies, shut down the U.S. Interior Department, and taken a nuclear power plant offline. The cost to clean up after such attacks is projected to top $17 billion this year, up from $13 billion last year, according to research firm Computer Economics. The firm predicts that damages from the MyDoom virus alone will top $4 billion this year.

Security spending not keeping pace with attacks

Cyber attacks have risen dramatically over the past three years. According to data from Good Harbor Consulting, reported incidents have gone from 21,000 in 2000, to more than 130,000 in 2003. Many more attacks are going unreported, as corporations attempt to deflect negative publicity associated with attacks. In addition, system vulnerabilities have doubled each year for the past few years, as have patches to fix those vulnerabilities. Even worse, the window of time between discovery and exploitation of vulnerabilities has continued to close, making quick responses to security breaches vital.

Security budgets haven't kept pace with the rise in attacks and increase in threats. Security budgets have in fact increased as a percentage of the overall IT budget, from 2.5 percent in 1998 to 10 percent in 2003, according to Good Harbor Consulting. But other research is more conservative, and overall, the budget figures do not keep pace with the growth in attacks. CSO magazine's 2004 survey of IT shows that 7 to 8 percent of IT budgets are spent on security. The picture painted by the most recent Computer Crime and Security Survey, from the Computer Security Institute, was even bleaker; of the study's respondents, 23 percent spent 6 percent or more of their IT budgets on security, but 62 percent of the respondents put their security allocations at 5 percent or less. The largest group of respondents, 24 percent, only allocated 1 to 2 percent of their budgets to security.

It's clear that security spending remains too low, but there is one positive trend; upgrades to security and disaster recovery systems are the highest priorities in IT budgets this year, according to Forrester Research.

Cost of attacks

The cost of security breaches has been difficult to quantify because of the range of damage produced by attacks. According to the CSO survey, 84 percent of companies polled reported incidents in the past 12 months, but only 38 percent could put a value on the damages. However, estimating the damages will help justify security spending on software, personnel, even insurance.

Some companies are investing in insurance to offset the losses due to security breaches. According to the CSI/FBI Computer Crime and Security Survey, this is a new trend, and though insurance companies don't have good actuarial data on which to base rates, a few firms are offering policies. CSI/FBI's 2004 survey found that 28 percent of the respondents have cybersecurity insurance.

To prepare a security budget, CIOs must estimate the cost of attacks. The total cost includes damages from lost business, and the cost to restore systems to normal operating conditions. Here are budgeting considerations in those two areas:

• Lost revenue from downtime. This includes sales disrupted or lost due to system downtime. A value can be determined by comparing average sales for that time period.
  
  
• Cost of staff to repair systems and network. This includes the staff and time needed to determine the extent of the damage and restore the network to proper working order. Staff costs include the cost of benefits and the overhead associated with each employee.

Budgeting for attacks

A well-planned budget should include not only technology needed to safeguard the network, but the cost of staff hours to restore the network after an attack. One difficulty CIOs face when budgeting for attacks is the tendency to believe in the measures they're taking to prevent them. However, by not budgeting for cleanup, CIOs may find themselves having to pull funds that had been previously allocated to other purposes.

To budget for clean-up costs from security breaches, CIOs should gather historical data on types and frequency of attacks, both within the company and without. Although the CSI 2004 report showed a decline in unauthorized use of corporations' computer systems, still, more than half of the respondents reported that their systems had been breached. The survey also showed a drop in the number of incidents. Forty-seven percent of respondents reported one to five incidents, up from 38 percent the year before.

Besides determining the probability of attack, and estimating the number of attacks, CIOs should attempt to calculate the cost of an attack, which can include the loss of business, the loss of data required by government regulation, personnel costs, and lost productivity.

As they tabulate data on losses from attacks, CIOs might ask: how many machines were hit by recent similar attacks? How much time is likely to elapse between the moment a vulnerability is announced and a system is patched? How much critical data is strongly protected? How much downtime is the result of security problems? Understanding the scope of the problem will help CIOs zero in on dollar figures to reflect the potential damage.

It's bad enough to be the victim of malicious cyber attacks, but companies that aren't prepared suffer twice. First, they suffer from financial and other costs of the attacks. Then, they also experience the financial hit of implementing security measures that should have been in place all along. Anticipating attacks and budgeting for them will help minimize the damages of inevitable attacks.

Jodi Mardesich writes about business and is a former staff writer for Fortune.