ROI Analysis: The Bottom Line on Blocking Malicious Emails

Cybercriminals know all they need to about their return on investment (ROI): cyberattacks are pretty cheap and highly profitable. Cybersecurity professionals face a much greater challenge, in what some call “the upside-down economics of cybersecurity.”[1]

It’s not cheap to protect your company against cyberattacks. And despite oceans of historical data and forward-looking risk assessments, it’s still difficult to establish the cost/benefit ratio of cyber defenses. That is, until after an attacker steals your critical data, drains employees’ productivity, shuts down operations and tarnishes your brand’s reputation.

Yet cyber experts, market research firms and insurance companies continue to make progress in calculating the value of investing in cybersecurity — even amid never-ending change on criminal, technological and regulatory fronts. So there’s a growing body of knowledge on ROI that cybersecurity professionals, executive management and boards of directors can use to support more effective cyber defenses.

This article, on the ROI of email security, is part of a multipart blog series on the costs and benefits of five strategic choices surrounding cybersecurity and data archiving — from blocking and monitoring malicious emails to protecting against brand spoofing, checking employees’ risky behavior, retiring on-premises archives and streamlining e-discovery. The series features findings commissioned from Forrester; the market research firm aggregated customer interview responses to model the ROI of a composite organization in these critical areas.

Email Security vs. Malware, Ransomware, Theft of Credentials, Impersonation …

Malicious actors use email more than any other way into your company to launch most kinds of attacks. “After years of frightening narratives and countless examples, the data points to a broad understanding of the potential risk for email-borne attacks — in other words, sophisticated attacks that arrive inside your environment via email,” according to Mimecast’s “State of Email Security 2020.” For example, database hacking is often traced back to credentials stolen via email. Malware is embedded in attachments to email. Impersonated brands send emails containing malicious links. And the list goes on.

What’s more, 60% of organizations surveyed for Mimecast’s 2020 SOES report believed they were likely to suffer an email attack in the coming year. The question is how to connect the dots from recognizing business risk to budgeting an effective response. And for top management and board directors, that means establishing the ROI.

Quantifying the Financial Benefits of Blocking Malicious Emails

Every company’s situation is different, but they share common problems. For example, without effective email security, employees at the companies interviewed by Forrester regularly experienced spam and other unwanted or malicious email. Frequent calls to security and email administration teams demanded a great deal of time identifying, investigating and remediating problem email, all of which resulted in lost productivity and other costs at every level of the organization. Even when using a cloud email service with built-in security protections, interviewees continued to experience more spam, phishing and other email-based attacks than they could tolerate.

Investing in additional email security delivered savings of $1.1 million over three years for Forrester’s composite profile of a 12,000-employee company using Mimecast’s email security solution to block malicious emails on Microsoft 365, the most common email provider to small- and medium-sized businesses.

Reduced exposure to security threats was among the important cost savings, with Forrester citing an average $343,000 cost per security breach. One CISO interviewed pointed to the successful blockage of ransomware at his healthcare organization, while noting that a local competitor had suffered a major disruption from the same email-borne attack.

Reducing the Spend on Email Security Monitoring

As Mimecast cybersecurity services reduced the number of attacks, the composite company was also able to reduce email security monitoring time to generate an additional $613,000 in savings, Forrester calculated. Analysts began handling more manageable workloads, and many could be redeployed to address other security initiatives. Among less tangible benefits, job satisfaction increased and turnover decreased.

Doing the Cost/Benefit Analysis

Altogether, Forrester calculated an ROI of 225% over three years for the composite organization across all five strategic services to be explored in this series. That is, $3.9 million in aggregate benefits versus $1.2 million in the cost of licensing, security team training and a part-time system administrator for services to block and monitor malicious emails, protect against brand spoofing, check employees’ risky behavior, retire on-premises archives and streamline e-discovery. Forrester’s analysis provides an approach companies could apply to their own perceived threats and cybersecurity responses.

Growing Understanding of Email Security ROI

Others have also been adding new levels of financial insight to attacks delivered by email. Some examples:

• The Hiscox business insurance company quantified the median cost of a breach in 2020 at $504,000 for companies with more than 1,000 employees, $133,000 for those with 250 to 1,000 employees and $50,000 for those with 50 to 250 employees. Breaking out some of those costs, Hiscox reported that the mean losses for companies subjected to a ransomware attack were $927,000 — whether a ransom was paid or not.[2]
• Bank of America reported that the number of consumers who say they will never return to a small business that has suffered a data breach reached almost 30% in 2019, an increase of 20% from 2017.[3]
• Yet according to a Ponemon Institute survey, only 41% of organizations attempt to quantify what a security incident would cost them.[4]

The Bottom Line

The ROI of email security is taking on new importance but remains difficult to quantify. New ROI findings explored in our five-part series based on recent findings by Forrester illustrate significant ROI on email security from Mimecast and provide a model any organization can follow to estimate their own potential ROI.

[1] “Cyber-Risk Oversight 2020,” Internet Security Alliance, ecoDa and AIG

[2] “Hiscox Cyber Readiness Report 2020,” Hiscox

[3] “Bank of America Merchant Services’ Third Annual Small Business Payments Spotlight,” Bank of America

[4] “Measuring and Managing the Cyber Risks to Business Operations,” Ponemon Institute