Feb 29, 2024The Hacker NewsAttack Surface / Incident Response

As an IT leader, staying on top of the latest cybersecurity developments is essential to keeping your organization safe. But with threats coming from all around — and hackers dreaming up new exploits every day — how do you create proactive, agile cybersecurity strategies? And what cybersecurity approach gives you the most bang for your buck, mitigating your risks and maximizing the value of your cybersecurity investments?

Let’s take a closer look at the trends that are impacting organizations today, including the growing reach of data breaches and the increase in cybersecurity spending, and explore how you can get the most out of your cybersecurity resources, effectively securing your digital assets and maintaining your organization’s integrity in the face of ever-evolving cyber threats.

Successful data breaches

In 2022, the number of people affected by data breaches increased significantly. According to the Identity Theft Resource Center’s 2022 Data Breach Report, more than 1,800 data compromises were reported in 2022 — 60 fewer reports than in the previous year — but the number of people impacted by data breaches jumped by a whopping 40% to 422.1 million.

And data breaches can cause real, long-lasting impacts, as proven by some of the most infamous data breaches in history:

• eBay: Hackers stole login credentials for just a few eBay employees and then pulled off a massive data breach that stole the personal information and passwords of more than 145 million users. Experts believe that the hack had ramifications on users outside of eBay — as people tend to reuse passwords on multiple sites, there’s a good chance that hackers were able to access other online services using the stolen credentials.
• Yahoo: In one of the biggest data breaches in history, Yahoo estimated that hackers had compromised over three billion accounts. Although hackers didn’t get passwords, they did gain access to users’ security question answers, increasing the risk of identity theft. The company ultimately paid $35 million in regulatory fines and had to provide nearly 200 million people with credit monitoring services and other restitution valued at $117.5 million.
• Marriott: Hackers were able to spend nearly four years accessing Mariott’s Starwood system, stealing data from more than 500 million hotel customers. Cybercriminals stole everything from customer names and contact info to passport numbers, travel information, and financial information, including credit and debit card numbers and expiration dates. In addition to the massive blow to its reputation and loss of consumer trust, the company faced steep fines, including a £99 million fine from the UK Information Commissioner’s Office (ICO) for violating British citizens’ privacy rights under the GDPR.

Given the escalating scope and impact of data breaches, it’s clear that CISOs and IT teams have their work cut out to ensure their organization is prepared for anything.

Cyber spending trends

Unsurprisingly, with the growing cybersecurity problem, organizations are spending more money to bolster their cybersecurity resources.

Getting the most from your cybersecurity resources

Clearly, there’s no shortage of cybersecurity threats. So, how can an IT professional ensure they are maximizing the value of cybersecurity resources and getting every ounce of protection from cybersecurity investments? A risk-based approach, where you identify and prioritize your greatest vulnerabilities, and correlate threat exposure to business impact, will help protect organizations and optimize spending decisions.

To adopt a risk-based approach, deploy the following strategies:

• Focus on your external attack surface. Your business’ external attack surface includes all of your company’s accessible digital assets — which present an enticing target for bad actors. You can’t fix a problem if you don’t know it exists; use a proven external attack surface management (EASM) solution to regularly scan and monitor your assets for potential security gaps.
• Prioritize protection of end user credentials. As eBay found, gaining access to just a handful of user credentials can effectively give hackers an open-door invite to your network and data. Ensure you provide employees with regular, ongoing security training to help them become more adept at identifying and appropriately responding to cyber risks. Deploy robust identity and access management protocols across your organization. And use a password auditor to ensure that your employees aren’t using passwords that have already been breached or compromised.
• Prioritize vulnerability remediation across your networks and cloud services. Invest in a risk-based vulnerability management solution that will help you prioritize threats based on the highest risks posted (based on likelihood and exploit availability), rather than wasting time and resources on vulnerabilities that pose little threat.
• Integrate a threat intelligence solution. To proactively adapt your organization’s defenses against emerging threats and attack vectors, you should invest in a threat intelligence solution that provides real-time insights into evolving threats to your organization and industry. By focusing your attention (and spending) on high-impact, likely-to-be-exploited vulnerabilities, you can strategically deploy resources to address your most pressing security concerns.

Prioritize a risk-based approach to boost cybersecurity ROI

Today’s digital landscape requires IT pros to prioritize a risk-based approach to cybersecurity, ensuring that your investments address current and future threats. By strategically deploying your organization’s resources — using robust solutions and focusing on high-impact vulnerabilities — you’ll be taking steps to keep your organization safe, maintain your operational integrity, and boost your cybersecurity ROI.

SaaS applications are the darlings of the software world. They enable work from anywhere, facilitate collaboration, and offer a cost-effective alternative to owning the software outright. At the same time, the very features that make SaaS apps so embraced – access from anywhere and collaboration – can also be exploited by threat actors.

Recently, Adaptive Shield commissioned a Total Economic Impact (TEI) study conducted by Forrester Consulting. The study demonstrates the impactful ROI achieved by a multimedia company with an annual revenue of $10 billion. While the quantitative ROI is significant, at 201%, the qualitative security ROI improvements were substantial.

Figure 1: Summary of the TEI Study

In this article, we’ll examine the study’s findings of how Adaptive Shield’s SaaS Security Posture Management (SSPM) platform impacted this global enterprise.

Learn how a $10B media firm dramatically improved their security posture with SSPM

The Organization’s Top SaaS Challenges

In interviews with Forrester Consulting, the organization being studied pointed out several key challenges that were facing in their SaaS stack leading up to 2022.

1. The organization acknowledged that they lacked the knowledge and skill to manage the applications. They didn’t understand many of the unique configurations or the impact they had on security or compliance, which left them unaware of the risks or mitigations that needed to happen.
2. The organization had experienced an increase in SaaS adoption across IT, HR, sales, marketing, and other departments. They recognized that sensitive assets and valuable data were moving into SaaS applications and being spread out in a way that the security team could no longer supervise all its comings and goings. In addition, they needed to foster collaboration between the app owners, who control the applications, and security teams that are tasked with securing them.
3. They were also dealing with increased complexity caused by their Merger & Acquisition (M&A) activity. Each M&A increased the number of applications that they needed to manage, many of which were geographically-distributed tenants that could not be easily combined with existing tenants of the app.

The organization began looking for a solution that could alleviate the SaaS misconfigurations that they were dealing with at scale. They needed a platform that would integrate with multiple business applications, mitigate communication issues between the app owners and security teams, and help them maintain regulatory compliance in their SaaS stack.

They were impressed with Adaptive Shield’s platform which not only demonstrated the widest coverage of supported applications but also found configuration issues during the proof of concept phase. In 2022, Adaptive Shield was selected and deployed to secure the organization’s stack.

Security Benefits Adaptive Shield Introduced to the Organization

Forrester Consulting found that Adaptive Shield enabled the security team to “gain complete control and increased visibility of the security posture of all business-critical applications.”

Increased SaaS Security Posture

The security team had dealt with six security issues stemming from misconfigurations and low-security posture in the past. However, the organization saw posture improvements beginning with the POC. They “realized substantial improvement in its security posture score through visibility, remediation guidance, and ongoing monitoring” while experiencing a 30% increase in posture.

Improved Collaboration

Forrester Consulting also found evidence of increased collaboration between security teams and app owners. They noted that business owners are critical players in securing applications, as they have “the key to the kingdom,” but they lacked the security expertise needed to secure their ecosystem. Deploying Adaptive Shield helped bridge that gap and foster collaboration between the app owners and security teams.

Many Other Security Benefits

While some security benefits were quantifiable by the Forrester Consulting team, they were unable to place a dollar value on everything offered by Adaptive Shield. For example, Forrester Consulting found that the automated processes within the Adaptive Shield platform allowed security teams to focus on security management rather than conduct interviews with app owners about their configurations. It also helped the organization overcome challenges introduced by the democratization of SaaS security. It helped the organization achieve continuous compliance, avoiding any interruptions to business operations, and staying ahead of any SaaS security trends.

Find out how an SSPM can deliver impressive ROI and security benefits

Why Economic Benefits Indicated a 201% ROI

The Total Economic Impact study measured the return on investment experienced by the organization that was interviewed. To quantify these findings, Forrester Consulting first calculated the value of an improved SaaS Security posture. They factored in the number of breaches that had taken place before Adaptive Shield was deployed and projected the number of breaches over three years. Their calculations included diminished productivity, impacted business and security users, and salary data. Their three-year present value estimate of an improved SaaS Security posture was $1.49M.

Figure 2: Breakdown of ROI by Category

Next, Forrester Consulting reviewed operational efficiency achieved through the Adaptive Shield’s SSPM platform. They factored in the number of applications being monitored, hourly wages, and the cost of securing SaaS applications with and without an automated solution. Their estimated three-year present value of savings was $397K.

Forrester Consulting then turned its attention to compliance. They calculated improvements in efficiency based on the time it takes organizations to review their applications and ensure compliance with the different standards. Their three-year present value was worth $260K.

Improved collaboration between security teams and business app owners added another 32K in savings over three years at present value. While the study noted other areas of ROI, it wasn’t able to quantify them.

The total benefits over three years (at present value) totaled $2.18M. The total licensing and deployment costs over those three years, at present value, was $723,866. Payback was reached in less than six months, and the ROI over the three-year time frame was 201%.

A Push Toward SaaS Security

Today, organizations are increasing the volume and value of data stored in the cloud. Modern SaaS apps contain highly sensitive data, including PII, intellectual property, and third-party confidential information. Protecting this data is paramount, and the only realistic way to secure it is through a SaaS Security Posture Management (SSPM) tool.

Organizations understand the need to secure their SaaS stack. At the same time, they need to justify the cost of adding new security tools. By demonstrating significant, measurable ROI, organizations can finally make the case for implementing an SSPM solution.

For the full TEI study, click here.

Note: This article has been expertly written by Maor Bin, CEO and co-founder of Adaptive Shield.