Getting the board on board: a cost-benefit analysis approach to cyber security

If there’s one thing you can be sure of when it comes to cyber security, it’s that you can never be sure of anything. The cyber security landscape has never been more hostile or complex, and changes to the working world brought about by COVID-19 have introduced risks that all organisations need to mitigate.

The hybrid working world of 2021 looks very different to the office-centric world we left in 2020, and technology has been instrumental in facilitating our new hybrid working lives. But as our working patterns have changed, so have the threat vectors through which hackers can target us to launch damaging cyber attacks.

In order to protect ourselves and our organisations, we need to adapt our cyber security postures accordingly. This involves investment. But buy-in for this investment can be difficult to obtain if your board sees cyber security as a cost they could do without.

If this is something you are struggling with today, the best way to get your board on board may well be to take a cost-benefit analysis approach to cyber security. In this article, we’ll take a look at the key cyber security threats facing organisations in 2021, and explain how a cost-benefit analysis approach is the best way to get the investment you need to address them.

Have attitudes to tech investment changed at board level due to Covid-19?

Covid-19 caused a surge in tech investment, as organisations looked to avoid the disruption caused by the pandemic. Has this changed the boards perception of technology investment moving forward? Read here

Key cyber security threats in 2021

With many of us working predominantly remotely since 2020, hackers have evolved their tactics to take advantage of organisations’ increased attack surfaces as users have strayed beyond the relative security of the corporate network. The key cyber security threats organisations face in 2021 are phishing, ransomware, and business email compromise attacks:

Phishing emails are sent by hackers, and they pretend to be from someone you trust like your bank or your local council or even a colleague. Their goal is to convince you to do something which they can use to their advantage, such as click on a link to a malicious website or provide login and other personal details. Phishing emails are one of the main methods hackers use to deploy ransomware and business email compromise attacks.

Business email compromise attacks target employees within an organisation by sending spoof emails which fraudulently represent senior colleagues or trusted clients. The emails use social engineering techniques to issue illicit instructions, such as approving payments to hackers’ bank accounts or releasing confidential client data that can be leaked on the Dark Web.

Ransomware’s primary aim is to extort money from organisations and individuals who are infected. It achieves this by encrypting files that are saved locally and on shared drives connected to affected machines and then threatening to leak stolen confidential information onto the public internet. Once files have been encrypted, the user is notified and asked to pay money, typically in cryptocurrency, in order to obtain a key that will unencrypt the files.

In order to maintain your organisation’s operational integrity in 2021, you will need to minimise risk as far as possible when it comes to these three pernicious threats. Let’s take a look at how you can get buy-in for the investment needed to do this.

A cost-benefit analysis approach to cyber security

A cost-benefit analysis is a method used to evaluate a project by comparing its losses and gains — essentially a quantified and qualified list of pros and cons. Undertaking a cost-benefit analysis is a great way to assess projects because it reduces the evaluation complexity to a single figure. As you can imagine, this makes a cost-benefit analysis an invaluable tool when it comes to explaining the intricacies and selling the value of a robust cyber security strategy to your board.

One of the most important things to emphasise in your cost-benefit analysis is the trade-off between paying to prevent a mess versus paying to clean up a mess. A recent Cabinet Office report stated the estimated cost of cyber crime to the UK economy is a whopping £27 billion. And when it comes to individual attacks, a Sophos survey in April 2021 found that the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021.

Of course, investing in preventative cyber security measures also comes at a cost. Research firm Gartner forecast that global spending on information security and risk management services will reach $150.4 billion in 2021 – an increase of 12.4% from 2020.

In this context, one thing remains crystal clear: for most organisations, the cost of prevention pales in comparison to the cost of a breach. So how do you apply a cost-benefit analysis to get board buy-in for your cyber security strategy?

The biggest post-pandemic cyber security trends

Sanjay Radia, chief solutions architect at NETSCOUT, identifies the most prominent post-pandemic cyber security trends. Read here

How to adopt a cost-benefit analysis approach

Adopting a cost-benefit analysis approach is all about determining the risks you are willing to accept and comparing the costs of those risks against the benefits. This involves thinking about the direct and indirect risks you face, as well as the direct and indirect costs that could arise as a result of taking these risks. Examples of each include:

  • Direct costs like ransom payments, or expenditure associated with identifying, mitigating and quarantining a threat.
  • Indirect costs like downtime, operational disruption, reputational damage, time and internal resources, and legal and non-compliance fees.

It’s helpful to think about both direct and indirect factors when applying a cost-benefit analysis approach. For instance, you might compare:

  • The cost of business income disruption (direct) and lost productivity (indirect) due to a ransomware attack versus the cost of preventing a data breach by investing in a ‘defence-in-depth’ cyber security approach.
  • The cost of operational disruption (direct) and a decrease in future revenues (indirect) versus the cost of preventing an attack by investing in building an in-house team.

Developing a cost-benefit analysis approach involves coming up with options that you could undertake to achieve your project’s objectives — so you’ll want to keep breaking things down and playing with various risks, costs and outcomes.

Getting the board on board

Risk management is all about managing uncertainties. When it comes to preventing costly cyber-attacks, there’s significant value to be found in investing upfront in order to avoid paying a higher price later.

The good news is that today’s executives report being more open to new cyber security strategies than ever before. In 2020, 50% of executives said that they were willing to consider cyber security as a factor in every business decision (compared to only 25% the previous year). Use this as an opportunity to build foundations that will help create a sustainable and safe future.

Written by Phil Atkin, sales director – cyber security at Six Degrees

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at