How much is enough when investing in cybersecurity? The question came up in one of two new reports which examine the state of cybersecurity today. Both reports offer up a depth of information, and just as importantly, raise an opportunity for further discussion. The Ninth Annual Cost of Cybercrime study from Accenture Security was conducted by the Ponemon Institute and The 2019 Data Breach Investigations Report comes from Verizon.
Here are a few highlights from the Verizon report:
- 69% of the breaches were perpetrated by outsiders. To that you need to add 2% by partners and 5% by multiple partners. Thirty-four percent involved internal actors.
- 43% of the breaches involved small business victims, while 16% were of public sector entities, 15% in healthcare, and 10% of financial industry organizations.
- 23% involved nation-state or affiliated actors.
- Only 71% were financially motivated while 25% were espionage.
- 56% took months to discover.
The Ponemon report told us:
- Information theft is the most expensive and fastest rising consequence of cybercrime — but data is not the only target. Core systems, such as industrial control systems, are being hacked in a powerful move to disrupt and destroy.
- Cybercriminals are adapting their attack methods. They are using the human layer — the weakest link — as a path to attacks, through increased phishing and malicious insiders. Other techniques, such as those employed by nation-state attacks to target commercial businesses, are changing the nature of recovery, with insurance companies trying to classify cyberattacks as an “act of war” issue.
- Cyberattackers have slowly shifted their attack patterns to exploit third- and fourth-party supply chain partner environments to gain entry to target systems — including industries with mature cybersecurity standards, frameworks and regulations.
- Almost 80% of organizations are introducing digitally fueled innovation faster than their ability to secure it against cyberattackers.
- Organizations are seeing a steady rise in the number of security breaches — from 130 in 2017 to 145 this year.
- The total cost of cybercrime for each company increased from $11.7 million in 2017 to a new high of $13.0 million — a rise of 12%. In the US, the average cost was $27.4 million.
- Banking and Utilities industries continue to have the highest cost of cybercrime across their sample, with an increase of 11% and 16% respectively. The Energy sector remained fairly flat over the year with a small increase of 4%, but the Health industry experienced a slight drop in cybercrime costs of 8%.
- "Our clients tell us that one of the most difficult questions when assessing their investments in cybersecurity is: How much is enough?"
What does all of this mean for your business? How does it affect either strategic or tactical decisions?
Related Article: Strong Information Management: Your Best Cybersecurity Defense
Investments in Cybersecurity: How Much Is Enough?
Let’s return to that last point. How much is enough?
Unfortunately, neither report tells us how much organizations are currently spending on their cyber and information security budgets, nor how they assess the likelihood of a significant breach that threatens the achievement of their objectives. So we cannot (even if we wanted to) rely on a benchmark of what others are doing.
I can’t find it now, but I recall a survey that said the average cyber budget was around $12 million. That seems a little low to me and Forbes reports that Bank of America and Chase each spend about $500 million.
But if organizations are experiencing damages from breaches of $13 million, on average, are they spending enough, the right amount, or too much? How much would they suffer if they had not spent the $12 million (assuming that is correct)? How much could they reduce the level of risk should they spend another $12 million?
Again, how much is enough?
That is a business decision that needs to take into account the risk posed by cyber to business objectives, as well as the fact that any funds invested in cyber cannot be invested in other initiatives.
In "Making Business Sense of Technology Risk," I point out that assessing cyber risk based on the potential out-of-pocket cost is hardly the best measure. Most organizations can accept the risk if the potential for out-of-pocket cost is $10 million or less.
But, as the surveys tell us, very often the hackers are trying to disrupt or even destroy the organization and the services or products it provides. If a cyber breach prevents an organization from achieving its goals, the damage is generally seen by leaders as greater than pure out-of-pocket costs. They would be willing to spend substantial sums to prevent such a result.
Saying that the risk is “high” is meaningless. How does that inform the decision of how much to spend?
Leaders need to know how much to invest of their scarce resources into cyber. Should they spend more, what is the return on any additional investment, and even if there is a positive return, is it better than they would obtain on other investments?
They need to know whether to invest $5 million in cyber or that same amount into new product development, a marketing initiative, the deployment of new technology, etc. They rarely have the funds to spend on every source of risk — so they have to make intelligent and informed decisions.
A breach can affect the organization in many ways, from trivial to devastating. There is a range of potential effects, each with its own likelihood.
Related Article: Cybersecurity Is More Than a Tech Issue
What's the Potential Impact on Achieving Enterprise Objectives?
I prefer to assess cyber-related risk based on how the likelihood of achieving enterprise objectives is affected. Cost is one factor and not necessarily the most significant one.
Answering the question of how much to invest requires considering the likelihood of achieving objectives given all sources of risk, not just cyber. For example, if a cyber breach might affect customer satisfaction and thereby revenue goals, so might product quality issues and other factors. Assessing cyber risk to objectives in isolation is missing the big picture.
Aggregating disparate sources of risk to a single objective is a challenge, as is comparing the risk from cyber to the risk from changes in the economy, or deciding whether it makes more business sense to invest in cyber than in marketing. (That’s why I wrote the book — it’s too much to cover in a blog.)
Other matters to consider include:
- The range of possible adverse effects of a breach and their likelihoods (based on how it might affect the likelihood of achieving enterprise objectives, not just the cost).
- Is the level of risk, given the above, acceptable? Is there an acceptable likelihood of achieving objectives? Consider both the potential effects of cyber and how other sources of risk might affect the same objectives.
- How will an investment in cyber change the level of risk (the range)?
- What would it take to reduce the level of risk to acceptable levels? Is an investment in cyber the best way to reduce the overall level of risk?
- Is the reduction in risk worth spending the money?
- Are there better ways to spend the money?
This is not a technical issue. It’s a business one. Those responsible for IT and cyber need to work collaboratively with operating management to assess the potential harm to the business (not to information assets) and how the likelihood of achieving enterprise objectives might be affected.
Those making both strategic and tactical decisions regarding cyber need useful, actionable information. They need help figuring out how much to spend.
I welcome your comments.