How to calculate ROI from cybersecurity in Web 3.0

The term “cybersecurity” has never been so important. The DeFi explosion in 2020-2021 caused cyber-attacks on crypto-projects and their customers. During international conferences, meetups, and round tables, business leaders and tech gurus actively discuss the strategies that can be applied to deal with the growing cybersecurity risks. No company in the world would like to appear in the titles of newspapers and media with such words “was hacked” or “suffered from an exploit”…”. The terms Web 3.0 and cybersecurity cannot be used independently. Thus, every company operating in the Web 3.0 industry should invest in cybersecurity. 

Today solid digital companies appoint a specialist or even a top manager responsible for ensuring their cybersecurity. Apart from fulfilling direct business duties, this specialist has to answer the following questions:  

Does investing in cybersecurity bring profits to businesses? How much will my business gain by investing $100K in cybersecurity? Let’s try to figure out the answers. 

Meaning of the term “cybersecurity” in Web 3.0

Simply, cybersecurity is a set of activities carried out by a company to protect itself from digital attacks. Cybersecurity encompasses three main components: preventing, addressing, and dealing with the outcomes of cyberattacks. 

Cybersecurity touches all elements of the company’s operations, including computers, networks, data, programs, applications, and people. Every company should always have a cyberattack recovery plan in place since no business is 100% free of the risk of security compromise. 

Web 3.0 cybersecurity concerns   

Although Web 3.0 constitutes the evolution of the previous version of the Web, it has its unique security implications and risks for businesses. Decentralization brings new opportunities to both companies and users but also opens new attack vectors for bad actors. 

Main Web 3.0 cybersecurity risks 

• Smart contract logic hacks: these attacks are aimed at exploiting functions and services such as governance, crypto loan services, wallet functionality, interoperability, etc. Non-authorized interference into transactions by bad actors can cost projects time, effort, and money to deal with its implications;
• Ice phishing: activities carried out by bad actors to lure users into signing malicious transactions such as sending tokens to illicit wallets, etc.;
• Irreversible nature of transactions: once virtual assets are sent, they cannot be returned to the original address. Thus, even law enforcement bodies will not assist businesses in recovering funds received by bad actors;
• Identity flaws: decentralization and associated anonymity create serious challenges for companies in terms of regulatory compliance. As a result, businesses may unwillingly appear involved in money laundering or even terrorist financing thereby causing themselves disastrous reputational damage.
• Rug pulls: Web 3.0 economy, even being in bearish conditions, provides attractive profit opportunities for the parties involved. The big role in the success or failure of Web 3.0 businesses is played by influencers and marketing leaders. There is a risk that by using insider information or business secrets, these people may decide to exit a project, thereby extracting huge profits while making the community and the project team experience heavy losses. 

Cybersecurity ROI: How many X can companies get by investing in cybersecurity?

According to the recent Hacken research, Web 3.0 projects lose $8.9M on average by falling victim to hacks or other forms of exploits. For small and middle-sized projects, this sum may be too big to return to normal business. Thus, even if Web 3.0 companies invest $1M annually in cybersecurity, they get almost 10X ROI. However, this is just an approximate estimation since investing in cybersecurity improves the company’s reputation in the eyes of both users and partners. During times of high market volatility and uncertainty, users prefer choosing risk-free investment opportunities even with lower than average income rates. 

Web 3.0 cybersecurity must-haves and their cost for businesses

Getting to a 10X ROI is difficult but possible. Companies should realize that there is no one-fits-all cybersecurity solution making them absolutely unbeatable for bad actors. However, there is a set of cybersecurity activities companies can and should take to raise their resistance to cyberattacks to new levels. This list includes but is not limited to:

Smart contract audit

Full-scope automated and manual security check of your project’s smart contracts by professional security engineers during which they look for both major vulnerabilities and minor bugs. The key benefits of smart contract audit for your project are time optimization and the use of the years of auditors’ expertise. On average, the cost of a smart contract audit varies between $5K and $30K. For extremely big smart contracts, this figure is much higher and may reach up to $500K. Smart contract audit is a one-time measure and if a company decides to apply for additional audit a few months later, it will need to cover its full price. 

Penetration testing

Simulation of real-world cyberattacks performed by certified engineers who follow the rules and scope agreed with the customer. The purpose of penetration testing is to detect vulnerabilities in the tested solutions so that a project can timely take measures to prevent possible real hacks in the future. The cost of penetration testing varies between $4K and $100K. The key benefit of penetration testing is the opportunity for a project to determine its real security level. Penetration testing is also a one-time measure.

Bug bounty program

Unlike a smart contract audit and penetration testing, bug bounty program is the continuous security testing process performed by independent researchers seeking to get financial rewards for their findings. The key advantage of a bug bounty program over other forms of security testing is the number of specialists looking for bugs in the client’s solution. Bug bounty platforms may unite thousands of specialists and, thus, the customer gets a unique set of skills and knowledge mobilized to improve its security. The other advantage of this form of security testing is that, apart from subscription fee, a customer pays only for bugs detected. On average, companies pay a few hundred dollars for minor bugs and up to $50K or even $100K for major and critical bugs. Thus, the more bugs the company’s solution contains, the bigger reward it will need to pay for the work performed by independent researchers.

Education of employees

The security of the company’s products is correlated with the level of employees’ knowledge and expertise. Every solid company invests in personal and professional growth of its employees. Companies should strive to create a working environment in which employees would be able to spend up to 20% of their working time for training (“Google rule”). This provides for allocating additional budget to invite business mentors, buy entry tickets to business conferences and meetups, and purchase subscriptions to online training or webinars. 

Cultivation of team spirit and the atmosphere of mutual-assistance 

The companies in which there is a healthy internal environment are less risky to experience insider attacks or malicious activities from the side of developers or managers such as exit scams or rug pulls. To this end, companies should strive to appoint the specialist responsible for communication with employees and the organization of team-building activities, family meetings, etc. As a result, employees would treat their company and its employees as a home and close friends and, thus, would not try to cause them any damage, both financial and reputational losses. 

Thus, companies of up to 100 employees need to allocate at least $100K annually for cybersecurity purposes. The higher the cybersecurity budget, the stronger their resistance to possible cyberattacks. 

Overall, by investing in cybersecurity companies demonstrate their strong focus on getting leadership in the fast-growing Web 3.0 economy. It is reasonable to conclude that cybersecurity is the digital healthcare for Web 3.0 players.