The nontraditional ROI in preventing cybersecurity breaches
I’m not surprised that cybersecurity is not in the forefront of the minds of c-suite executives running small and mid-sized companies. Perhaps they believe that data breaches only happen in large companies. However, cyberattacks can happen to any company at any time.
In fact, smaller companies may be more of a target because hackers realize these organizations often lack sufficient expertise to deal with cyberattacks. Failing to secure your company’s cybersecurity is simply not an option anymore. It needs to be a priority.
We’ve all heard about the cybersecurity attacks on large organizations, such as Capital One and Equifax. These attacks often result in significant data breaches and ransomware assaults. Rectifying a cyberattack is an expensive task for any size organization in terms of effort, time and cost, depending on the degree of damage.
But the attacks on smaller organizations are increasing, costing an average of $1.1 million per attack. Cyberattacks do not always succeed in penetrating the network of a company, but if they do, the result of one attack can be catastrophic, potentially forcing the organization to cease operations due to the lasting financial damage.
In addition to financial losses, there may be other costs including regulatory or industry fines for data protection compliance violations, hikes in insurance premiums and deceases in stock market share prices. The Capital One data breach cost between $100 million and $150 million, including fines associated with the breach.
There may be significant losses in sales and business opportunities if customers and business partners are upset by the compromised data and concerned about future risk. An attack can lead to an interruption in a company’s operations if there is a supply chain breach, requiring additional funds to address safety concerns. Here’s the bottom line: these costs are more than what the organization would have spent if they invested in cybersecurity protection.
Effective methods for preventing cybersecurity breaches
It is important for your organization’s board and c-suite executives to understand that a cybersecurity investment doesn’t fit neatly into the ROI model, as the purpose of cybersecurity is to mitigate potential attacks rather than generate profits. In other words, security is not an investment. It is an expense that over time will reduce costs by preventing potential losses.
Here are my suggestions for averting cyberattacks:
1. Educate your employees on cybersecurity through training conducted by security experts.
2. Ensure your organization has the proper cybersecurity software, including firewalls. Recognize that just as hackers frequently change their methods, software also needs to evolve to block cyberattacks. This means all upgrades and patches must be installed immediately after they are released to keep the computer and network systems safe.
3. Comply with all regulatory statutes. A critical point that leads to ROI distinction is that many organizations are now subject to cybersecurity national and international policies and regulatory compliances, such as General Data Protection Regulation (GDPR), which requires companies under their regulatory system to buy security products and services, even if they carry a high ‘risk appetite.’
4. Establish a governance, risk and compliance team (GRC) that is responsible for documenting and analyzing cyberattack risks, creating mitigation plans and controls, and performing ongoing risk assessments to make sure these policies are up to date. Additionally, the cybersecurity team can, and should, monitor the infrastructure continuously, review incidents and take appropriate actions. If it is not cost-effective or feasible to have an onsite GRC or cybersecurity team, I suggest using a third-party cybersecurity vendor to perform a risk assessment by assessing the company’s computer systems, security, network, firewall and IT applications and review the company’s security policies. If the budget allows, do this assessment yearly.
There are additional reasons why small and mid-size c-suite executives should find the time and resources to properly fund cybersecurity plans and protocols, even without a clear ROI for this investment. We know these companies are attractive targets for hackers because smaller companies sell their services as third-party vendors to larger organizations.
Cybercriminals can exploit a small company’s lack of cybersecurity protection, hack into the small company and then use this as a backdoor to infiltrate the larger organization. When the source of the cyberattack is uncovered, a small or mid-size company may lose lucrative contracts with larger organizations.
Protecting the company’s brand and reputation
Cybersecurity protocols fill the gaps opened by security breaches by preventing the hackers from penetrating into a company’s network. This means in addition to preventing a loss of critical assets, there is the added benefit of tracking changes made in your company’s risk profile and monitoring threats.
Finally, protecting your company’s reputation is a crucial point for all stakeholders of a company. Becoming a victim to a cyberattack, even if the cybersecurity was minimal, can cause harm to your brand’s reputation in mere seconds. The more effective solution to being exposed to cyberattacks and the possibility of losing customers, sales, business partners, trust and reputation is to proactively invest in and maintain a strong cybersecurity defense.