Skip to main content

How much does a cybersecurity policy cost? Is the ROI sufficient? Above all, are software publishers interested in investing more in their cyber measures? Answers.

Companies in all sectors need help to keep pace with the ever-changing cyber threat landscape and to adapt their cyber budgets accordingly. As more and more software publishers migrate to the cloud, they are particularly affected. The new data protection issues raised by the cloud have heightened demand for cybersecurity: software publishers plan to increase their budgets dedicated to cyber defense from 5% to 15% by the end of 2023 (source: Auris-finances).

How much does a cybersecurity policy cost?

Significant costs…

Implementing an effective cybersecurity policy requires substantial investment, whatever the type of organization involved.

The first step is often the implementation of an asset monitoring and protection solution, such as an EDR or XDR. According to a Kaspersky report, companies here have the option of investing in three types of resolution, with distinct costs:

  • A traditional in-house cybersecurity solution, where cybersecurity is handled in-house by the company’s IT teams. The report estimates the average annual cost of such a solution at €54,300.
  • A cybersecurity solution via the cloud, where the hosting provider sets up the cybersecurity system. This solution would cost organizations an average of €27,200.
  • An outsourced cybersecurity solution: the company calls on cybersecurity professionals to guarantee IT security for an average budget of €36,000 annually.

Whichever solution is chosen, the cost remains significant for companies. Particularly for large groups with a lot of equipment and employees. Yet this investment remains low compared to the price of a successful cyber-attack…

… to be put in perspective with the financial repercussions of a cyber attack

According to an IBM study, a cyber-attack costs the victim organization an average of $4.45 million. Each attack generates: 

  • Visible costs for the company, such as:
    • Business interruption
    • Fees for experts hired to eliminate the hazard and find its origin (forensic analysis)
    • Legal costs and fines in the event of damage to customers
    • The price of rapid reinforcement of security systems
  • Hidden costs, such as:
    • A loss of credibility, primarily when the hacked organization works in the IT sector
    • Loss of intellectual property
    • Loss of employee and customer confidence

By comparing the costs of cybersecurity with those of a cyberattack, it is more profitable to implement a cyber policy than to risk an attack.Software publishers therefore have every reason to invest, as they are prime targets for cybercriminals.

Cyber-attacks on software publishers increased by 146% in 2020. (Source: Check Point Software 2022 report)

The benefits of a cybersecurity policy for software publishers

Implementing a cybersecurity policy benefits software publishers — although these are difficult to quantify.

Maintaining or gaining the trust of users

Software users expect it to meet a certain level of quality and a certain degree of security – in France, it will soon be measured with a “cyber score”. Software publishers who invest in a cybersecurity policy are more likely to:

  • Stand out from the competition: a solid cybersecurity policy can be a powerful argument when choosing software ;
  • Retain existing customers: a software company that has never been hacked inspires confidence and encourages customers to reinvest.

Implementing a cybersecurity policy and communicating about it can be a real lever for acquiring new customers and retaining old ones.

Read also: Software publishers, cybersecurity as a trust-building lever

Meeting regulatory requirements 

A cybersecurity policy also helps software publishers prove that they meet certain regulatory obligations, such as:

  • The General Data Protection Regulation (GDPR) imposes strict measures to guarantee the security of users’ data.
  • The imminent European Cyber Resilience Act (CRA) will impose cybersecurity requirements on vendors and manufacturers of digital products — both software and hardware.
  • The French Military Law (LPM) obliges software publishers operating on French territory to inform their customers and ANSSI in the event of a significant vulnerability in a product.

Read also: All software publishers in France must now report vulnerabilities to the national authority

Given the costs, benefits, and potential consequences, investing in a solid cybersecurity policy is an obligation for software publishers wishing to preserve their business.

NIS2 Directive: Step-by-Step Guide to Compliance

A 40-page guide to walk CISOs, DPOs and legal departments through the directive. No mumbo jumbo, only useful and actionable insights.


Software publishers: how can you protect yourself?

You can use various cyber solutions to guarantee the security of your information systems and products.

To limit the risks of attack — and the associated costs — the first step is to audit your IS and products to identify vulnerabilities

Pentesting and Bug Bounty are particularly efficient solutions:

  • Pentest as a Service: a security audit launched in less than a week for a fixed price. Uncover most of the vulnerabilities in a product and assess its security level at a given time, or plan several pen tests throughout your development cycle as part of a DevSecOps approach.
  • Bug bounty: an in-depth vulnerability hunt with the security researchers of the Yogosha Strike Force. Identify the most critical vulnerabilities with a pay-for-results logic. No vulnerabilities = no expenses: you’re only rewarded for exploitable results.

As an expert in cybersecurity, Yogosha helps software publishers strengthen the protection of their information systems and products. Our Vulnerability Operations Center (VOC) allows you to launch PtaaS and Bug Bounty operations with expert security researchers, and manage them easily from a dedicated platform.

With Yogosha, improve the digital security of your software to prevent attacks. Contact us!