The go to saying among cyber security experts is: “it’s not a question of if, but when you will face a cyber attack.” This quote captures most of this article and the business case argument by many cyber security experts.
Cyber security is often seen as an inconvenience by business people or just another compliance issue. This certainly has been the case across many industries where you see general low social engineering scores. Security is often not a top priority, besides the hardlined approach of favorable ROI, security is not perceived to advance the company towards its annual goals. What needs to be understood by business managers is that data is the heart and soul of their business regardless of what industry they’re in. One well planned data breach could trigger the collapse of the entire organization. Cyber security is one of the most critical forms of resiliency in the modern world.
There are high costs to non-commitment towards cyber security. In a comprehensive report, Deloitte identified the top seven hidden costs that come with a cyber attack on an organization. These hidden costs include: insurance premium increases, increased costs to finance via debt (higher interest rates), operational disruption or destruction, lost value of customer relationships, value of lost contract revenue, devaluation of company brand, and loss of intellectual property.
The Business Case for cyber security can be broken down into the following areas: legal, financial, and operational.
The Legal Facet
Lawmakers around the world have increasingly started to impose increasingly severe consequences for companies that don’t take measures to prevent a data breach. The landmark legislation that will likely catch a lot of companies by surprise is coming from the European Union. The legislation that is coming soon is called the General Data Protection Regulation (GDPR). The GDPR penalizes violators on a sliding scale that is intended to cut into a company’s bottom line. If a company violates a chapter of the regulation, they will face a fine of 4% of global revenue. The GDPR will affect any company that engages European citizens in any way.
In the United States, recently Yahoo faced an investigation from the SEC which was triggered by Yahoo not disclosing a breach. The data breach itself set Yahoo back about $350 million when the company was sold to Verizon. The legal and financial costs of a data breach extended well beyond the theft of data.
Legislation and public institutions are coming down hard on organizations who do the bare minimum to prevent a data breach. If businesses do not take cyber security seriously then they face a world of fines and lawsuits in the future.
The Financial Facet
Return on investment (ROI), those infamous words that reduce any and all activities in an organization down to just how much it can contribute to growth. The proposals that contribute the most to growth usually win; which is why cyber security proposals often lose because security cannot be captured in such a narrow definition of growth. So when calculating growth the standard calculation doesn’t work. However, thankfully there are approaches towards ROI that integrate the savings and rate of prevention that investment into cyber security provide.
According to Ponemon institute’s 2017 Cost of Data Breach Study, the average cost of a data breach is $3.6 million. Considering that companies can often suffer several during the course of a year, these breaches can add up. Also as mentioned above, this is just the surface level, there are hidden costs that come with every breach.
The Operational Facet
With the rise of ransomware as the new norm, a cyber attack is no longer simply the theft of some customer data. Your operations are at risk now and can be paralyzed until you pay a ransom or have backup locations where your data is resting. Downtime of your network means downtime of staff being able to do their job. This productivity loss can have massive financial and brand implications for every minute that your servers are down. The most infamous case of this was during the WannaCry ransomware outbreak. The NHS suffered an attack by the WannaCry ransomware on most of their facilities which left them unable to render healthcare services to many patients. Another attack that paralyzed operations was the NotPetya attack that left FedEx unable to deliver on their services worldwide. No company is immune to cyber attacks, as stated above it’s a matter of when the attack will happen.
The implications of a cyber attack are massive for business the lack of resilience around the critical asset of data which is the core driver of economic activity in the world. Businesses need to commit to cyber security, this isn’t a random side project it’s a mission critical part of the company that cannot be neglected any further.