How Catch Rates Impact Organizational Risk and Finances
Why Catch rates are crucial to understand financial implications of cybersecurity interventions
By Keely Wilkins
Despite its countless benefits, the internet can be a hostile place for business. As organizations continue to expand their digital footprints, moving workloads into the cloud and growing their network of devices, they leave themselves vulnerable to a rapidly evolving cyber threat landscape.
Gartner’s number one cybersecurity trend of 2022 was “attack surface expansion” – organizations increasing their digital presence to leverage new technologies and facilitate remote and hybrid working. As of 2023, almost 13% of full-time employees work from home, with over 28% working a hybrid model. At the same time, Check Point recorded a 38% uplift in global cyberattacks in 2022 alone, so organizations need to tread carefully.
In this connected world, innovation breeds risk – and in order to capitalise on innovation in a financially responsible way, that risk needs to be carefully managed. The problem is that cyber threats are moving targets, with countless variables that can be difficult to quantify. That means the efficacy of any cybersecurity solutions is hard to measure. One of the pivotal metrics that has emerged in recent years is the “catch rate” of security solutions. But what exactly does this rate signify, and how does it translate to the broader financial landscape of an organization?
What exactly are catch rates?
At its core, the catch rate of a security solution offers a quantifiable measure of its capacity to detect and deal with various cyberattacks. These rates are typically awarded by independent test labs, providing an unbiased assessment of a solution’s performance. For instance, if a security solution boasts a catch rate of 95%, it signifies its efficacy in detecting and neutralizing 95% of all cyber threats during its testing phase. However, this also leaves a residual risk of 5% that organizations need to be aware of.
This 5% “exposure” may not seem significant at first glance, but the financial ramifications can be profound. By combining data from various sources, such as the IBM 2023 Cost of a Data Breach Report and insights from Check Point Research, the cost of residual risk becomes clearer.
Measuring exposure to risk
Let’s consider phishing as an example. The number of phishing attacks rose by 47% in 2023 alone, with the US and the UK the top two targeted countries, and research suggests that 90% of successful data breaches begin with a spear phishing attack. Spear phishing is a targeted campaign where the attacker customizes the deceptive message to mirror a specific individual or organization, often using personal details to make the attack more convincing. While phishing casts a wide net to entrap any unsuspecting victim, spear phishing is aimed directly at a chosen target with a tailored lure.
Now consider an organization that faces 1,258 phishing attempts every week. With a 16% attack frequency, this amounts to 201 potential breaches. The average cost of a successful attack, as reported by IBM, currently stands at US$4.76 million. If we factor in the click probability, which currently stands at 18% for trained employees and 35% for those untrained, the financial implications of the residual risk are huge.
We can calculate the probable cost of the remaining risk using the following sums:
- Cost of customer risk per breach: Avg cost per breach * Remaining risk
- Number of phishing events per week: (Attacks per week * Attack frequency) * Remaining risk
- Probability of trained employee clicking on phishing event: Number of phishing events * Click probability
- Cost of remaining risk per week: Cost of customer risk per breach * Probability of employee clicking on a link
If we apply these calculations to the typical scenario outlined above, the difference in the “weekly cost of residual risk” for a 5% catch rate versus a 10% catch rate is stark: US$431,000 versus US$1.72 million. That means that extra 5% could cost an additional $1.3 million in terms of risk.
The importance of catch rates
Considering the cost of ‘risk’, organizations need to evaluate catch rates carefully when choosing cybersecurity solutions and partners. As with any financial investment, they need to measure their exposure to the market. In other words, how likely their cybersecurity solution is to fail, what it might cost, and whether those costs can be weathered.
The problem is that catch rates have been typically downplayed. Perhaps that is because they are not understood by CIOs or CTOs, or perhaps it is because it is simply not in the best interests of cybersecurity vendors to disclose them. There is currently no legislation mandating that they need to be upfront about their solution’s catch rates, but organizations are always free to ask and listen carefully to the response.
Going beyond the catch rates
While catch rates can be a crucial metric, cyber risk management is of course a multifaceted endeavor. It requires close communication between various stakeholders including employees, supply chain partners, banks, insurance companies, and even governments. Each entity in this ecosystem has a role to play, and their actions or inactions can have cascading effects.
Some of these stakeholders and variables are beyond the control of organizations. They can train their teams, choose their cybersecurity partners wisely (factoring in catch rate), and have the right insurance options in place, but they cannot control everything.
Additional steps that organizations can take to fortify their cyber defenses include:
- Embracing a Zero Trust Architecture: This approach operates on the principle of “mistrust by default”, ensuring rigorous verification for every access request, irrespective of its source.
- Optimizing Business Processes: By integrating security measures into their core processes, organizations can minimize vulnerabilities.
- Engaging with MSSPs: Managed Security Service Providers bring to the table specialized expertise and resources that can bolster an organization’s security framework.
- Prioritizing Training: Employees can be a formidable first line of defense if adequately trained. Recognizing threats, especially in domains like phishing, can drastically curtail risks.
Cybersecurity can feel like a chess game, with numerous variables in play. Metrics such as catch rates are important and offer valuable insights into the efficacy of a solution, but they are just one piece of a much larger puzzle. By using that measurement as part of a holistic approach to cyber risk management, organizations can not only safeguard their digital assets but also ensure their financial stability in the face of ever-evolving cyber threats.
(Disclaimer: The article is written by Keely Wilkins, Office of the CTO, Check Point Software Technologies and the views expressed herein are those of the author and do not necessarily belong to the publication)