By Jonathan Perz, Senior Security Analyst, Abacus Technologies
Rarely do companies get to see the actual bottom-line value of cybersecurity. It always manifests as a cost or expense on the income statement. This is because effective cybersecurity lives in the world of “it did not happen.” So, how do you quantify “it did not happen” in terms of profit and loss?
The primary role of cybersecurity is to protect profits by preventing distraction and loss. It keeps a company on task, moving forward, and growing. The goal is to mitigate risk and avoid security incidents and that is why cybersecurity is a business decision not merely an IT department function.
Yet, one of the first concerns expressed in quoting cybersecurity is the cost. Cost, as a negative impact on the bottom line, is a powerful driving force in decision-making. Effective cybersecurity can seem costly and, consequently, cybersecurity becomes an “unaffordable luxury” rather than a priority. “Nobody will attack us” becomes the rationale for avoiding those costs. Rather than being proactive about threats, companies react to attacks and incidents. Hence, companies end up implementing cybersecurity one breach at a time. Which is more costly?
As an example, consider the cost of Security Awareness Training (SAT) which is a foundational component of cybersecurity. The human component of cybersecurity is the most vulnerable component and carries the greatest risk. Estimates suggest that an effective SAT program prevents 80-85% of attacks. Most insurance carriers will deny coverage without SAT in place. Yet, using round numbers, it costs a lot to train 1000 employees for 10 minutes a month. That is about 170 hours a month and 2,000 hours a year in pay and production. This drives companies to decrease the amount of training time and some even reduce it to annual training. As a result, instead of a training program that builds a security culture, they simply maintain a compliance posture. In the current threat environment, compliance is not security.
Consider the alternative. One click on one email by one employee can cascade into a successful ransomware attack. Even if well-tested backups exist, the cost can still be great. Downtime and lost production are inevitable. If backups fail, a company might have to absorb the cost of the ransom itself. This is all dependent on the cybercriminals being honest. Lost data and lost reputation are priceless in terms of cost. Resiliency in the form of a well-rehearsed incident response plan, if such exists, can reduce downtime. Still, the point is that a well-executed SAT program might have prevented the entire incident. Again, which costs more?
Likewise, business email compromises often run neck-in-neck with ransomware regarding cost. One phishing email can result in one misdirected ACH transaction and cost a company hundreds of thousands of dollars. Whereas a strong SAT program can help prevent an incident like that. A well-designed and strong SAT program can transform a company’s greatest vulnerability, its people, into one of its strongest defenses and can be the difference between a successful attack and an “it never happened.”
Cyber-attacks and incidents hurt profits. Cybersecurity protects profits. This may seem overly simplistic. Yet, the current threat environment demands this type of thinking. A company does not need to throw the entire bottom line into a security program. Instead, a company should evaluate its unique threat surface (i.e., where criminals can attack it). Then, assess risk based on that threat surface. Finally, it can implement a strategic plan to mitigate that risk efficiently and effectively. That is how cybersecurity protects profits. Plainly speaking, if companies do not put cybersecurity on the agenda, it will become the agenda.
If you’d like to learn more about getting a risk assessment or see how Abacus Technologies can help your business, please reach out to us at (205) 443-5900 or visit our website.