Cybersecurity is complex and the risks from a security breach are underrated. Cyber criminals are at work around the clock, finding new ways to break into corporate networks to steal personal data, financial data, and intellectual property. As a result, CIOs are continually balancing the risks versus the returns of their cybersecurity investment. It seems impossible to stave off all types of security threats, so how much protection do they really want to pay for? It’s like buying insurance; how much coverage is enough and can you have too much?
If you consider the numbers, the cost of a cybersecurity attack could easily justify a substantial IT security budget. According to new research from the Ponemon Institute, 79 percent of IT professionals and IT security professionals indicated that they have no resources to address external cyber threats, or that protection against outside attacks is not consistently applied across the enterprise. The results of the study sponsored by BrandProtect, “Security Beyond the Traditional Perimeter,” reveals that attacks take many forms, including social engineering, executive impersonations, and other forms of external attacks. The key findings from the report include:
- On average, there are at least 32 material cyberattacks per month.
- The cumulative cost to an organization from cyberattacks averages $3.5 million annually.
- Security processes for Internet and social media monitoring are said to be non-existent (38 percent), ad hoc, (23 percent) or inconsistent (18 percent).
- Protection of intellectual property (IP) is essential to company operations according to 59 percent of those surveyed.
Clearly, organizations are not investing in security against attacks, and they are undervaluing the losses from cyberattacks.
Weighing Resources Against Risk
Even those organizations that do understand the potential threat and the potential losses from external cyberattacks say they lack the resources to defend themselves. According to the Ponemon survey:
- Sixty-four percent say they lack the tools and resources needed to adequately monitor for threats.
- Sixty-two percent say they lack the tools and resources needed to analyze and understand the threats.
- Sixty-eight percent say they lack the tools and resources needed to mitigate external threats.
The universal complaint is lack of tools and resources. Consider what would happen if even a portion of that potential $3.5 million in losses was allocated for additional security tools and staffing. Would that be adequate to solve the problem?
Again, we have to consider return on investment. Can you make an adequate case for improving your security infrastructure to combat all the potential threats? That would require expert staff, equipment, new protocols and procedures, analytics tools, cloud resources, and much more. When does the cost of prevention outweigh the risk?
Estimating the degree of risk from cyberattacks is a risky proposition in itself. Consider the case with cyber insurance. Many insurance underwriters don’t know how to value losses from cyberattacks. In fact, it’s common practice for underwriters to present corporate clients with a checklist to set their own valuation from cyber losses, and as a result, most companies are dramatically underinsured. How do you gauge the value of lost intellectual property, lost business, and lost reputation, let alone losses from litigation and class action suits? Target stores, for example, suffered a data breach in 2013, and although the company had $90 million in cyber risk insurance, losses have been estimated to reach $256 million.
In retrospect, would it have made sense for Target to invest tens of millions of dollars in cybersecurity to head off the losses from a data breach? Probably not. It’s difficult to justify that kind of expenditure on what could happen, especially when you can’t guarantee you might miss something. However, there are alternatives.
Outside Experts Minimize Risk and Save Money
Cyber protection is one of those services that is best left to professionals. Most companies hire security services to provide physical protection for their building. They don’t put the watchmen on the payroll and hire their own experts to manage the alarm systems because it’s not cost-effective. The same is true of cybersecurity.
Just as outsourcing backup services and disaster recovery makes more sense than investing in massive amounts of data storage and mirrored systems, it makes sense to outsource cybersecurity. Rather than worrying about finding, hiring, and retaining security experts, why not get a fresh perspective from professionals who are dedicated to providing security solutions and stay abreast with the latest threats. You get better expertise at a fraction of the cost.
In the era of the cloud, most enterprise networks consist of a combination of on premise and hosted network services. Whether your company has a private cloud network or some kind of hybrid cloud, remote monitoring and analysis is a logical way to extend cyber protection. Outside experts can monitor network traffic, look for anomalies, and take action in the event of a cyberattack. And security experts work around the clock so you get 24-hour protection.
In addition, the right security consulting company can provide on-site support and training. They can help create policies and procedures to minimize threats from social engineering or careless users. They also can help design a more secure infrastructure and advise on best practices to minimize threats.
When you consider the potential risks, there is no reason not to have adequate protection from cyberattacks. You don’t have to take on the responsibility yourself. Find the right security partner and work with them to develop the right security protocols and safeguards. And you can use service-level agreements (SLAs) as your guarantee that you will get the right degree of protection from a company that is willing to stand behind its service. A small investment in the right security partner today can save you millions of dollars from cyberattacks.