When it comes to cyberattacks and the resultant data breaches, not all organizations are affected to the same extent. Larger organizations store greater quantities of data and a security breach may end up costing the company over $100 million to resolve, but such breaches are not suffered very often. In fact, when you compare the cost of breach resolution to the annual turnover of a company, the cost is actually very small indeed.
Even the huge data breaches that have affected Sony and Target have not cost the companies very much in the grand scheme of things. Compared to the annual turnover of both companies, the costs incurred are very low. As low as 1% of total turnover. The security breaches will be embarrassing, but the actual losses can be easily absorbed.
Benjamin Dean from Columbia University’s School of International and Public Affairs recently pointed out in a post that the cost to large companies may not be insignificant, but it is nowhere near as high as many people would believe.
Consequently, there is little pressure on many large organizations to invest more heavily in cybersecurity defenses. This may not be true for heavily regulated industries such as finance and healthcare, where heavy fines can be issued for non-compliance with data security regulations, but for some companies the costs can be easily absorbed.
Many of these companies are covered by insurance policies that pay for the majority of the cost and the resolution costs are tax-deductible.
He points out that while there will be fallout as a result of a data breach, this may not be nearly as high as many companies are led to believe. Many Sony employees had their data exposed in the cyberattack but how many will leave their employment as a result? Sure, they will be unhappy, but will they leave in droves? Probably not.
Customers may incur losses, but Sony will not have to cover the cost. How about cases of identity theft? Can a customer determine with any degree of certainty that they have become a victim because of the data breach at Target or Anthem, or any number of other companies that have suffered cyberattacks?
In many cases, losses are not suffered by the company but by the banks. The data breaches that have affected Target and Home Depot are estimated to have cost the providers of credit and debit cards, not the retailers. The cost of replacing the stolen cards has been estimated to have cost credit unions around $60 million in September. Those costs were covered by the credit unions, not the retailers.
The same cannot be said for small to medium sized businesses
The larger the corporation, the easier it is for losses to be absorbed, but when it comes to small to medium sized businesses the losses from a data breach can be catastrophic. Will movie-goers avoid a Sony Entertainment film because of the data breach? Unlikely. Will customers change to a rival printing company because their preferred provider has breached their financial data? Much more likely.
For SMBs it is essential to invest in robust data security systems. The loss of customers will really be felt, and many SMBs do not have the budgets to cover data breach insurance premiums. The resolution costs, in many cases, simply cannot be absorbed.
Data breaches do not affect all departments equally
If you work in IT security, you will be very keen to get a budget increase to protect your company’s systems. If a breach is suffered, your department will have to perform a great deal of extra work. You are likely to be blamed for allowing the breach to happen. You may even be criticized for failing to explain the risks adequately.
It is therefore in your best interests to implement the best possible security controls to protect the business, but often getting the funding is problematic. Cybercriminals are developing ever more sophisticated methods of breaking through defenses and consequently the defenses that must be installed must also be sophisticated. That usually means they cost a lot of money. Getting a sufficient budget to cover the cost can therefore be a difficult task.
To make it easier, you will need to know how managers assess budget requests.
Risk Analysis – How managers decide on budgets
Before a potentially expensive cybersecurity measure is given the go-ahead, a cost analysis will be performed. Managers will assess threats separately and will calculate the Annualized Rate of Occurrence (ARO) – the probability that security will be breached in any given year. Then they will calculate the costs from such a breach: The Single Loss Expectancy or SLO. Multiply both of those figures and they will arrive at the Annual Loss Expectancy (ALO). Based on that figure, a decision will be made about the best way to deal with the threat and whether it is worthwhile doing so.
There are a number of measures that can be put in place to address the risk. These will also be assessed:
Risk Mitigation
The biggest costs fall into this category. These include installing robust firewalls, anti-virus and anti-malware solutions, spam and web filters, and employee training.
Risk Transference
It may be possible to reduce the cost of dealing with a breach, and this may prove to be more cost effective than installing security measure to reduce risk. An insurance policy may be purchased so the company doesn’t have to cover the full cost of a security breach.
Risk Avoidance
It may be possible to reduce risk by preventing certain activities from taking place. For instance, banning the use of social media websites at work to combat the threat from malware. Sometimes risk cannot be avoided. Maintaining an online presence is essential, so a company cannot remove the risk of a data breach by not operating a corporate website.
Risk Deterrents
These measures can be cheap and effective. Legal disclaimers and internal policies can be developed to tackle insider theft. They may warn of prosecution for anyone found to be inappropriately accessing corporate data. This may be sufficient to put some individuals off snooping.
Risk Acceptance
Some risks cannot be avoided and must be accepted. However, a company must be aware of the risk in order to make a decision about whether it can be accepted, as well as the cost of mitigating that risk and the potential for damage.
It is essential that security professionals are consulted before these calculations are made. Their input will be required to gain an accurate estimate of the probable costs and level of risk faced.
If you, as an IT security professional, can provide accurate figures that can be used in the cost/benefit analysis, your company will be able to determine which security measures are essential and will allocate budgets accordingly.
Make sure you are an asset to your company and create your own risk analysis. As an IT security professional, you are in the best position to do this. If budgets are subsequently not forthcoming, it will not be your department that is blamed when security breaches are suffered.