Organizations employ many precautions and actions in the attempt to block cyber attacks. Such measures can require significant time and resources to implement as well as maintain. This class of tools includes endpoint security solutions such as anti-virus, protection and detection systems as well as gateway solutions.
Every enterprise includes software patching as part of its security system to some extent. Because of its widespread use and marked impact on business processes, we will examine patching as an example of direct and indirect costs to your organization.
The complexity and often time-critical nature of even predictable patching places a significant burden on IT operations. It consigns your IT team to a reactive state, forcing them to continually play catch-up whether or not a vulnerability is actually exploited. Many organizations consider cybersecurity patching resource-intensive and ineffective, yet perform it on some level both for regulatory reasons and to avoid extended risk.
To calculate how much patching costs your organization per year, use the following formula:
If you want to get to a more precise figure, take the real costs into account:
Total Annual Ongoing Costs should include the cost of your Patch Management tools, contained in the above formula as “preparation and detection costs.” Using such tools, the hourly effort of endpoint patching is estimated at around eight hours per system per year, a total that includes assessment, assembly and testing, deployment, failure resolution and helpdesk.
Numbers may vary, but with a total of 10 yearly patches on average, the costs can reach several million dollars for a sizeable organization. And 10 yearly patches is a vast underestimation.
Patching comes with a low ROI given its costliness and minimal effectiveness.
Want to learn how to quantify your cyber risk? Download the full guide now!