The online dictionary defines Economics as “the branch of knowledge concerned with the production, consumption, and transfer of wealth”. A simple enough equation on the surface but any economist will say that it can be much more complicated in practice.
One of the more complicated areas to understand is the ROI and risk management involved in cybersecurity investments. How much to invest and where to invest are questions that each organization and IT management have to decide and implement.
What is clear, is that everyone will be making those calculations in some form or another for the foreseeable future of modern society. Losses to cyber crime have been increasing every year and there’s no one who’s predicting a quick end to the trend. Juniper research predicts that criminal data breaches will reach $8 trillion over the next 5 years. That’s T, for trillion.
But what does that mean for a medium sized business or county organization?
The size of a company does matter. Like any type of risk, it can be quantified. But because the cybersecurity field is so new, there are many assumptions that companies and risk analysts have to make to quantify cyber risk; the data is still being collected to create risk models. But companies cannot wait 10 years – they need to know now. For example, Amazon lost 32 million in just 211 minutes during a 2016 cyber breach. For a company the size of Amazon the cost was significant but not organizationally crippling.
Smaller Organizations have greater exposure to cybersecurity risk. The Ponemon institute estimates that small businesses average $690,000 in related expenses after a breach. That’s more than some businesses make in a year. Depending on the industry and actual cash flow of a business, smaller organizations can become upside-down or close their doors.
There are several factors to be addressed in the economics of cybersecurity and one is pure financial exposure or loss, but another is the loss of business and reputation. Target had one of the largest breaches in 2013 with a multi-state settlement of $18.5 million dollars for the breach of 41 million consumer records. But what is unique about Target is the way they handled the breach. They were proactive; they didn’t delay in facing the music. And because of their skill in handling the situation they minimized the impact on the value and reputation of their brand. Rebuilding brand reputation and trust after a breach is difficult to quantify but no less real.
Equifax and Yahoo are both examples of the opposite extreme and show what not to do. They have both suffered huge detrimental affects from their very public breaches that have impacted both the brand’s reputation, terms of buyouts and have permanently altered the value of the company.
How much does attacking an organization cost the cyber criminal?
Very little. That is the main reason that it is so prevalent. Overhead for cyber-crime is low and the potential returns are very high. It’s basic – Economics 101. Cyber crime activities have less than a 2% prosecution rate. Criminally, costs to the hacker are financial restitution and the potential for incarceration. The basic computer set up and actual hard costs are minimal. Cyber criminals are often innovators in the field and the organization they are targeting are a generation behind.
So what will change in terms of costs in the future?
Cyber crime impacts organizations and societies in new ways every time a new innovation in technology or a new way of connecting to the internet is found. The cost of breaches and cyber crime will inevitably be higher in the future and for several reasons.
Citizens are waking up to the societal risks of cyber-crime. As early as 2010, researchers, like Tyler Moore at the Center for Research on Computation and Society, Harvard University, have said that “Systems often fail because the organizations that defend them do not bear the full costs of failure.” And “In order to solve the problems of growing vulnerability and increasing crime, policy and legislation must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so.”
In 2014 a fellow from Columbia University, Benjamin Dean, looked at the K-10 filings for 3 fortune 500 company breaches and concluded the actual expenses to the companies after filing were less than 1% of annual revenues. If the economics of data privacy and securing and organization are not a large enough impact on the bottom line, the organizations will continue to do the minimal to remain compliant.
Legislation at home and abroad will soon be changing this dynamic.
The European Union’s GDPR, going into force on the 25th of May 2018, has a maximum penalty of 4% of a company’s global revenues for non compliance, or 20 million Euros, whichever is greater. Those are financial teeth that change the risk analysis for organizations. Now it’s not just financial and reputation… it is also compliance and regulations.
In the United States at least 30 states are in the process or considering legislation regarding breach notifications. The US is lagging in terms of a comprehensive mandatory compliance that has financial penalties. On the federal level, there is legislation being considered to criminalize failure to notify about breaches and directs the FTC to create standards of protection for the security of consumer data.
In time, best security practices are going to become legislated requirements and companies will be required to invest in the security of their data. According to Hiscox’s cyber readiness report, 2017, 53 percent of the companies surveyed were assessed “cyber novices” and ill-prepared. Only 30% rated as expert.
Since it’s only a matter of time, statistically, until an organization experiences a breach, 53% is a frighteningly high number.
So how do you decide where and how to spend your money on cybersecurity?
1. Know what kind of cyber crime is most common for your size business.
In a study done by the Ponemon Institute in 2016, size matters. Smaller organizations “experienced a higher proportion of cyber crime costs related to malware, web-based attacks and phishing/social engineering.” Larger Organizations “experienced a higher proportion of costs relating to denial of services, malicious insiders, malicious code and stolen devices.”
Knowing what kinds of attacks are most likely, can help you allocate resources. Smaller companies may want to consider investing a higher percentage of their cyber security funds in Security Awareness Training. A larger company may spend more on analytics programs that identify possible malicious players on their staff.
2. Decide which functions and data are the least important and which are most critical to your organization.
Invest in security for those functions accordingly. Data Privacy is the hot topic this spring because of the GDPR. Know what Data you have, where it it stored and ask the question….Do we need to have this information?
3. Have comprehensive baseline security for moderate to low threats.
These are always economically beneficial and have the added bonus of saving the management and IT teams -lots of undue stress and headaches.
4. Have an Incident Response Plan.
If you aren’t quite sure how to create an incident response plan there is information online to help you get started and experts who can help you put it together. In IBM’s “Cost of a Data Breach” study an Incidence Response Plan was found to be the most significant strategy for cost savings.
5. Invest in Penetration Testing.
Having an outside party preform a penetration test on the organization with details on recommendations for security will be an invaluable road map. They can also test your response plan and point out not only where your organization has weaknesses, but also where you need to allocate more security funds. This becomes an actionable list that can be researched and implemented.
As time goes on there are sure to be Economists who come up with better equations to calculate ROIs for cybersecurity and risk management for cybersecurity will be more formalized. In the meantime, evaluate your business size, the data you have and where it is, implement baseline security measures and work diligently on an incident response plan that is supplemented with a penetration test from an outside provider.
If the old adage, “One Size Fits all” were true in Cybersecurity, then ROI would be a simple calculation. But because each organization is complex and unique, a specific ROI is more elusive.