Although the right answer to this question is always contextual, there are some considerations that can help in determining costs of our cybersecurity.
Thanks to modern digital technologies we are more connected, effective and creative. It offers businesses sustainable perspective for growth and innovation. However, the recent infamous WannaCry and Petya ransomware and other cyber-attacks are, unfortunately, not sporadic cases and will be repeated in new forms soon or later.
The current state of affairs strongly points out that total security in the cyber world is (nearly) impossible to achieve. In 2016, for example, over four billion records were stolen worldwide, causing damages measured in multi-billion US dollars. Over one billion dollars was lost due to the ransomware attacks in the last year. Such terrifying stories continue daily.
The advantages of cybercriminals over cyber defence lie in asymmetry: an organisation must defend against all the known vulnerabilities, whereas cybercriminals only need to exploit a single, known or unknown, vulnerability to launch a cyber attack. This causes an asymmetry regarding costs of performing a cyber attack and defusing against it. In other words, cybersecurity requires substantial investments for protecting organisations from every single or majority of cyber-attack possibilities. On the other hand, cyber attackers need far fewer resources as it is sufficient to find a single vulnerability and exploit it.
Similar asymmetry happens with the adoption of ever-advancing technologies. Cyber intruders can quickly adapt to a changing technological landscape at a negligible cost, usually with the backing of an underground economy supported by the Dark Web.
Feeling threatened, most government and private sector organisations have been increasing their spending for protecting their cyber assets. However, some organisations choose to do exactly the opposite: they underfund cybersecurity as “it is going to happen anyway, so why spending money”.
While over-investment or wrong investment may be viewed as wasteful, underinvestment in cybersecurity can be detrimental. However, it seems that many worldwide and South African organisations still struggle to determine how much to invest in cybersecurity and where these investments should be made. This is particularly true regarding the resource-scarce small and medium businesses.
Let us then look at some considerations that can help in determining an appropriate investment in our organisational cybersecurity.
Consider before you spend for the cybersecurity investment
Firstly, it should be understood that our digital security is not and must not be the concern of IT departments only but of all business functions: from operations to the executives and boards.
From the business viewpoint, it is important to identify the company’s informational assets and their value as well as liability and damages potential to a successful cyber-attack. In this regard, criticality, costs and sensitivity of organisational informational assets should be appraised and clearly understood.
Criticality of an asset is measured by the impact on an organisation’s productivity if it is successfully attacked. For example, a cyber-attack damaged database would very much impact on the organisational capability to generate revenue.
Cost of an asset refers to the costs associated with replacing that asset if stolen or destroyed. For example, replacing a stolen laptop or rebuilding damaged database would incur considerable costs.
The sensitivity of an asset is determined by the impact resulting from confidential information being disclosed or improperly used. For example, stolen customer records can definitely damage a company’s reputation and even drive it out of business.
Understanding cybersecurity risks to organisational assets are, understandably, highly important. There is unequivocal advice from cybersecurity experts that appropriately balancing cybersecurity risks and costs of addressing these risks are the way to go. In other words, it is advisable not to spend more money on cybersecurity which will be greater than the value of assets to be protected.
Improving security from good to much better is often very expensive. However, risks can be lowered by spending a balanced amount of money. This is determined by the calculation of what risk can be acceptable and what consequences can be tolerable.
More security technology does not necessarily mean more secure organisation since complexity and variations of technologies can sometimes be damaging to the organisational cybersecurity. This approach can easily overwhelm the organisational IT department with a huge quantity of data from different sources – making data analysis and correlation almost impossible. Hence, organisations should strive to balance cybersecurity costs by appropriately investing in the equilibrium between technology, capacitating human factor and having sound strategies and policies.
In a nutshell, balanced cybersecurity risk management is basically the act of successfully lessening losses. In other words, cybersecurity actions are successful if they contribute to reducing cyber-attack related losses by a higher sum than the security preventative measures cost. Here is an example: an organisation invests ZAR 1,000,000 in cybersecurity hardware and software, and that investment reduces the costs of losses due to cyber-attacks by considerably more than ZAR 1,000,000 than that investment is justifiable. If that investment reduces losses by less than ZAR 1,000,000, then that investment cannot be called balanced or reasonable.
Finally, the cybersecurity cost of protecting organisational assets and business operations should be considered from the reasonable assurance viewpoint. In other words, managers must use their judgement to ensure that the costs of cybersecurity safeguards do not exceed the protected system’s benefits or possible risks of destroying or damaging organisational informational assets. This will inevitably depend on having right resources, initiatives, processes and technologies, as well as right and balanced investments.
In the end, maturity costs less
Organisational cybersecurity maturity also impacts on balancing digital protection costs and benefits. In other words, the development and measurement of organisational cybersecurity should be based on a well-defined maturity model. One such model is given by AT&T in their IDC Global Cybersecurity Readiness survey, which identifies four levels of cybersecurity preparedness.
Passive maturity readiness characterises the least-prepared organisations that are run by executives who take a hands-off approach. They tend to be unaware of most cybersecurity breaches and react in response to breaches they do detect.
Reactive maturity readiness pictures companies with below average levels of cybersecurity readiness. In these organisations, C-level executives pay moderate-to-little attention to cybersecurity while delegating it to expertise and day-to-day management to their IT departments.
Proactive maturity readiness characterises companies with above-average levels of cybersecurity readiness. These companies realise the importance of cybersecurity and have put in place basic steps to avoid breaches.
Progressive maturity readiness is the highest level of cybersecurity readiness, in which C-level executives pay close attention to security and invest in a holistic, comprehensive prevention and response strategy.
Although progressive readiness requires considerable resources, the evidence shows that the progressive organisations share several key qualities that help them rise to the top. These organisations are pragmatic as the C-level executives take a pragmatic approach to the planning and response. They are also comprehensive as they are more concentrated on readiness assessment and planning than post-breach diagnosis. Finally, the officials in these organisations are diligent and perform near constant security reviews.
How much could spam emails cost your organisation?
We all know that spam emails are economically viable for perpetuating advertising. Besides being a nuisance, spam emails can contain dangerous malware, particularly most dreaded ransomware. Hence, these messages are nowadays a serious problem.
At its mildest, spam emails can be costly even without containing malware. Let us consider the following example.
A company have 2,000 employees and 1,000 of them receive 20 spam emails per day. On average, they spend 10 seconds minimum to open, read and delete each spam email. For these activities, they need 200 seconds, in other words, 3 minutes and 20 seconds.
If employees are paid R15,000 per month, that means they earn R750 per day, or R93.75 per hour, R1.56 per minute or R0,026 (2, 6 cents) per second.
Cleaning spam emails then cost this company R5.20 per employee. In other words, it all together costs company R 5, 20 per employ per day only for cleaning junk emails! Translated into monthly and annual costs, it potentially costs company R 10,416 per month or R124, 992 per year!
All this money can be saved by introducing an appropriate spam policy, which will cost this hypothetical company much less than potential losses. Besides, if that policy is applied correctly, it can prevent the spread of malware through the organisation, hence preventing possible e-mail related cyber-attack losses.
Power of simple measures
Simple measures such as this one regarding spam emails and the application of low-cost cybersecurity safeguards can save a fortune for organisations. According to the AFCEA recent study on the economics of cybersecurity, measures such as whitelisting that restricts user installation of applications, regular updating (‘patching’) the operating system and applications or restricting administrative privileges, can be effective in preventing 85% of cyber intrusions!
Hence, it is always good for organisations to first consider their contextual situation and best practice before spending often limited resources on an ineffective cybersecurity or underinvest in securing digital future.