Cyber security: Where’s the business case for a budget?
8 min read
11 February 2019
With fines increasing but no sign of data breaches slowing, what can business leaders do to protect their companies?
There’s an inconvenient truth in the business community. As many business decision-makers are only too aware, hardly a week seems to go by without a data breach of some form being reported to press.
Then in June, Ticketmaster revealed that the login information, payment data, addresses, names and phone numbers of almost 40,000 people had been breached. This was followed at the beginning of September, when hackers got into the systems at British Airways, impacting 380,000 transactions.
When they do happen, breaches of all sizes have brutal consequences (even if they are smaller than the examples cited above).
Take a look at the retail sector alone. Recent studies have shown 19% of consumers would completely stop spending money with a retailer if the business had been breached, and 33% agreed they’d at least stop shopping there for a while.
Can you imagine what losing 19% of your customer base might do to the bottom line? It certainly wouldn’t be a pretty sight.
With new regulations such as the GDPR taking hold, fines are also a big fear factor.
According to reports, Facebook’s fine for its part in the Cambridge Analytica scandal could have been 1.4 billion in the post-GDPR world – a harsh sum even for a global giant like Facebook to stump up. For small businesses too, the prospect of paying up to 4% of their annual turnover as a fine isn’t a fun one.
Where’s the business case for a budget?
The consequences of a data breach are damaging, unnerving, and can put the businesses involved in jeopardy.
Against this backdrop, you might think it’s easy for chief information security officers (CISOs) to justify the need for their budgets. However, recent research from Kaspersky Lab has shown that CISOs are actually struggling to get the budgets they require to fight off hackers.
There are several reasons for this, including the fact that security is sometimes lumped into the wider IT budget, that budget is being prioritised for digital, cloud or other IT projects, and due to ignorance on the part of the board. However, the most common reason is that CISOs cannot guarantee the organisation will not suffer a breach.
From a business point of view, this might make sense, right? After all, if you are a business leader and concentrating on the bottom line, why would you agree to sink budget into a fight that apparently cannot be won?
Sensible business protocol dictates that you should only invest where a return is on the cards.
It may sound controversial, but, at Kaspersky Lab, we think the question: “can you guarantee there won’t be breaches anymore?” isn’t really a question that businesses should be asking. Before we explain why let’s ask ourselves whether breaches really are inevitable?
What makes cyber security breaches unavoidable?
According to our survey results, 86% CISOs believe breaches are inevitable. So, what’s behind this certainty?
Most enterprises are on a path towards digital transformation, with 52% agreeing that this is the tech trend that will have the biggest impact on the IT security of their organisation in the next five years.
Digital transformation widens the surface of attack, giving cybercriminals more opportunities to find weaknesses, to creep into systems and to leak or exploit data. Cloud adoption, the increasing mobility of workforces, and the rise in use of digital channels are all contributing factors here, increasing the risks.
This isn’t the only factor that CISOs are up against. What if a malicious insider – an employee perhaps – was to single-handedly work against a company, or even combine their efforts with those of an external attacker? To help them through the backdoor, so to speak?
This sort of threat could be especially difficult to identify and prevent in advance. In fact, it’s one of the most feared types of threats among the CISO crowd, with 29% agreeing this is the biggest IT security risk (second only to concerns about financially motivated cybercrime gangs at 40%).
While we’re on the topic of financial motivation, if breaching an organisation promises to bring substantial gains to the attackers, and those gains exceed the resources they need to organize the attack in the first place, then as far as the criminals are concerned, their efforts are easily justified.
They will just keep finding new ways to make their money.
Asking the right questions will lead to the right decisions
There seem to be plenty of reasons – outlined above – why the question “can I prevent an attack?” is not the right one for business leaders to be asking. So what is the right question to ask?
Well, if attacks are likely and increasing, the crux of the issue really lies in whether a business can detect an attack quickly enough, and respond comprehensively and quickly enough to minimize its impact.
In other words, it’s becoming increasingly clear that businesses can’t live in the prevention only paradigm anymore. That mindset is simply outdated and out of sync with how businesses today work. When it comes to targeted, highly elaborated attacks, detection and response should instead be the priority.
It’s time to educate business leaders that it’s worth investing in cyber security. This is not about guaranteeing the complete prevention of cyber incidents, it’s about raising the price of attack for attackers. It’s about making an attack unaffordable, and not worth their while.
And, more importantly, it’s about getting your perimeter and security team ready to immediately address any attempt to interfere with your organizations’ network.
An average breach costs a large enterprise up to $1.23 million — but if you take the necessary measures, this price will drop to a minimum, or even to nothing at all. Now that sounds like a sensible business decision.
Maxim Frolov is vice president of global sales at Kaspersky Lab.