Why cyber security will cost 40% more in 10 years’ time

A padlock against a golden background to represent cyber security

The costs of managing cyber security risks could rise by 40 per cent over the next decade as tools fail to keep pace with hackers, according to a new study.

Training, security tools, business disruption and network management all figure in the predicted cost rise, worked out by nonprofit think tank RAND, which conducted detailed research with CISOs from a variety of companies.

With the most severe security breaches costing big businesses 1.46 million, up from 600,000 last year according to PwC, such a rise means the financial impact could top 2 million by 2025.

RAND released its findings in a new report today, titled The Defender's Dilemma, undertaken in association with Juniper Networks.

In light of a rising number of cyber breaches experienced over the last two years, RAND warns that cyber criminals are becoming impervious to security tools that they can develop countermeasures against, making their attacks more successful.

"Half of all the tools used in any one year are subject to countermeasures as hackers adapt if and when such tools become popular," the report read. "This adaptation causes tools to lose effectiveness over subsequent years."

In fact, RAND predicted that the effectiveness of tools for which countermeasures can be developed will plunge by 65 per cent over the next 10 years.

Very large businesses have the most to lose from the factors outlined above, with the breaches themselves contributing to 47 per cent of the financial losses enterprises will suffer from such incidents, compared to just eight per cent for small companies.

However, buying new security tools to deal with the latest threats also offsets some of the potential savings by averting cyber attacks, pointed out RAND.

As much as 11 per cent of enterprises' cyber security costs come from deploying tools, its report found.

It said: "Small organisations benefit from circumstances and policies that reduce their attack surfaces (e.g., BYOD/smart device restrictions). Larger organizations need a panoply of instruments to keep costs under control.

"Roughly 40 per cent of the reduced losses are offset by increased costs associated with using such instruments."

Insider threat

Whatever they spend, large organisations are the most at threat from hackers thanks to their higher profiles.

While just 11 per cent of small firms have been penetrated by hackers, five per cent of very large firms have been, found the report.

"[This] supports the truism that CISOs must assume that the attackers are already inside their networks," warned RAND.

Rapid7 security expert, Trey Ford, said CISOs also suffer from not being able to share breach details with counterparts outside their firms.

"The lessons learned by those in this office are shrouded or entirely prevented from sharing due to external and internal NDAs and shareholder concerns," he said. "CISOs are still grasping at how best to report security programme performance to the board."


Both RAND and Juniper also found that the Internet of Things (IoT) will increase the losses resulting from cyber breaches by 30 per cent come 2025.

They warned that companies must strengthen training and BYOD/smart device policies, as well as focusing on tools without countermeasures, which are more powerful in the long run.

"As companies invest heavily in innovative connectivity technologies, giving rise to the IoT, they also need to consider smart security investments to mitigate complex, dynamic cyber threats," said Steve Jacques, consulting engineer in security at Juniper.