A joint study from research firm ESI ThoughtLab, WSJ Pro Cybersecurity, the Security Industry Association (SIA), and other organizations finds that organizations that seek to digitally transform face significantly more risk if their cybersecurity infrastructure doesn’t keep pace.

According to the report, as companies adopt new technologies, they end up exposing themselves to “higher and more costly cyber risks” — to the tune of at least $1 million in losses from cyberattacks.

While malware, phishing, and ransomware lead the parade of threats currently, the study predicts explosive growth in cyberattacks by 2020 through partners, customers, and vendors (by 247 percent). Supply chain and denial of service (DDoS) attacks are also expected to spike (146 percent and 144 percent respectively).

Another interesting finding of the study is that when it comes to companies putting their efforts into cybersecurity, the majority of it goes to protection. However, it is expected that organizations will focus more on incident response and recovery in the coming year, in order to improve resilience.

Importantly, the study also delved into cybersecurity maturity and return on investment (ROI). The more mature the organization with respect to its investment in cybersecurity, the lower the probability of a cyberattack. The lower probability rate also corresponded with a reduced cost of a cyberattack. To illustrate, the report compared a less mature model with a more mature model, assuming both to be $10 billion companies. Basing the cyberattack costs on a percentage of revenues, the study cited a $3.9 million loss for beginners, compared with just $1.2 million for leaders.

However, the report acknowledged that it is harder to assess less mature organizations because of their inadequate detection systems.

According to the report, ROI is tough to measure for most, because of two key factors:

1) Many organizations do not measure indirect costs like loss of productivity or reputation, or opportunity costs, all of which can impact the bottom line.

2) Risk probabilities are hard to estimate and many don’t think to calculate the benefits of improved productivity.

Lou Celi, CEO of ESI ThoughtLab and director of the study, asserts that cybersecurity needs to be integrated into the growth strategy versus merely being an afterthought. He adds, “While cybersecurity will always be more of an art than a science, companies need to do a better job of measuring their full direct and indirect cost-benefits to understand where to invest to secure their digital future.”

Get the full story at Security Industry Association.