“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked”.
― Richard Clarke
Contemporary information and communication technologies (ICT), often called digital technologies, are firmly embedded in modern societies.
The space hosting these technologies, also known as a cyberspace, is continually shifting as new devices are added and old ones are disappearing. In this digitally mobile era, locations are also moving, allowing for more flexible and effective business.
Benefits of these technologies or digital prosperity are achieved by boosting existing industries but also by procreating new ones, unimaginable without these technologies.
Global spending on ICT in 2018 is estimated to reach about 4 trillion USD, according to the latest global market study by the International Data Corporation (IDC). Worldwide technology spending only on the rapidly growing Internet of Things is predicted to reach 1.2 Trillion USD in 2022.
Unfortunately, these technologies can be misused for curbing or annulling our digital prosperity. Recent announcements by Google and Facebook confirm that the security of even the most powerful IT companies can be breached.
The newest report on cybersecurity threats and birches are conclusive: the total cost of a successful cyber-attack is averaging over 5 million USD, as reported by the Ponemon Institute. According to Gartner, the worldwide cybersecurity spending in 2018 will reach 96 billion USD.
On the other hand, only a third of organisations, recently polled by this Institute, believe they have adequate resources to manage security effectively.
These and similar figures often confuse business people, prompting a logical question:
What should be the costs of cybersecurity in order to secure our digital prosperity?
Although the right answer to this question is always contextual, there are some considerations that can help in determining the costs of our cybersecurity.
My thoughts given here are aimed at sharing it with the cybersecurity colleagues and ICT users, hoping that some of you will comment and add more useful tips on the topic.
Firstly, we have to understand that our digital security is not and must not be the concern of IT departments only, but of all business functions: from operations to the executives and boards.
Secondly, more security technology does not necessarily mean a more secure organisation since complexity and variations of technologies can sometimes be damaging to the organisational cybersecurity. More (sometimes unnecessary) technology can easily overwhelm the organisational IT department with a huge quantity of data from different sources – making data analysis and correlation almost impossible.
Hence, organisations should strive to balance cybersecurity costs by appropriately investing in the equilibrium between technology, capacitating human factor and having sound strategies and policies.
Thirdly, cybersecurity actions are successful in protecting our digital prosperity if they contribute to reducing cyber-attack related losses by a higher sum than the security preventative measures cost.
Here is an example. An organisation invests ZAR 1,000,000 in cybersecurity hardware and software, and that investment reduces the costs of losses due to cyber-attacks by considerably more than ZAR 1,000,000, than that investment is justifiable. If that investment reduces losses by less than ZAR 1,000,000, then that investment cannot be called balanced or reasonable.
Fourthly, the cybersecurity cost for protecting organisational assets and business operations should be considered from the reasonable assurance viewpoint. In other words, managers must use their judgement to ensure that the costs of cybersecurity safeguards do not exceed the protected system’s benefits or possible risks of destroying or damaging organisational informational assets.
This will inevitably depend on having the right resources, initiatives, processes and technologies, as well as right and balanced investments.
Fifthly, we should not forget the power of simple measures.
According to the AFCEA recent study on the economics of cybersecurity, measures such as whitelisting that restricts user installation of applications, regular updating (‘patching’) the operating system and applications or restricting administrative privileges, can be effective in preventing 85% of cyber intrusions!
Finally, it is always good for organisations to first consider their contextual situation and best practice before spending often limited resources on an ineffective cybersecurity or underinvest in securing digital prosperity.
And, yes, enjoy your coffee…