By now, almost every organization is keenly aware of the global cybersecurity landscape. From the groundbreaking Equifax breach that cost the company over $4 billion to the Yahoo breach that saw 3 billion records fall into the hands of threat actors, cybersecurity breaches have become a regular occurrence in the news cycle.
But when it comes to actually investing money in cybersecurity, some CFOs and CIOs still have a difficult time justifying the costs. Depending on your organization’s size, cybersecurity assets can become a significant budgetary cost. And, given the current fiscal atmosphere, pouring time and resources into threat protection may feel back-of-mind.
Should you really put money into cybersecurity? What are the chances your organization will get attacked by a threat actor? And what considerations should you think about when making the decision to set aside a portion of the budget for digital security.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
A Very Brief Look at the Cybersecurity Atmosphere in 2020
From Zoom’s recent security woes to Microsoft’s massive breach that recently exposed 250 million records, cybersecurity is a hot-button issue in 2020. But, for every one of those attention-grabbing headlines and borderline apocalyptic-themed news articles out there about cybersecurity attacks, there are thousands of other organizations getting hit with devastating breaches.
Every 39 seconds, a hacker attacks an organization. In fact, you may have been hacked this year already. It takes an average of 206 days for companies to identify and recognize a security breach. When you figure in the time it takes to contain and rectify breaches, most companies spend over 300 days dealing with a single cybersecurity attack.
And these attacks are coming from everywhere. Security breaches have increased by over 65% since 2014. We’re at the point where 1 in every 300 emails your business receives is likely malicious. In 2018, over 51% of small businesses experienced a denial of service attack. 1 in 36 of your employees has a mobile device with a malicious app installed right now. And 1 in 13 web requests takes your employees directly to malware.
Cybersecurity attacks are growing. That’s a big problem. And it gets worse. Due to the sheer cost of data breaches, over 60% of small businesses that are targeted by hackers will close their doors permanently within 6 months. For larger organizations, the sheer cost of a data breach can have significant impact on financial stability.
How Much Does a Data Breach Actually Cost?
According to the latest figures by IBM/Ponemon, the average cost of a data breach is around $242 per stolen record. Given that the IBM/Ponemon study is 77 pages long and aggregates data from organizations across the globe, we would say that those figures are probably the closest to “average” you can get.
Want a quick jump scare? That same report estimates that 26% of organizations will face a cybersecurity breach in the next 24 months. Obviously, that’s not ideal.
But here’s the question: what are the actual costs of a data breach? You would be surprised. Let’s break down some of the costs that go into that figure, and we’ll talk about some additional costs that weren’t necessarily discussed in the IBM study.
1. Fines and Penalties
The cost bucket for fines and penalties can be massive. Given the global privacy and data security landscape, your organization could be facing fines from multiple regulatory bodies in addition to potential legal fees. We’ll list a few of the fines associated with privacy breaches, but it’s important to remember that there may be additional actions taken at the local, state, and federal level depending on where your organization is located.
- Maximum fine for GDPR: ~$22 million
- Maximum fine for CCPA: $7,500
- Maximum fine for LGPD: ~$12 million
2. Lost Revenue
According to Ponemon, lost revenue is the biggest cost bucket of a data breach. While we believe that brand damage stands at number one (more on that next), the immediate impact of lost revenue can be massive. 36% of data breach costs that IBM and Ponemon calculated were related to lost revenue.
Obviously, you’re going to get less revenue once news of your breach hits. Customers, members and donors will be nervous to do business with your brand, and you’ll likely see an immediate decline in revenue.
And, while you might be able to stave off immediate revenue losses with a healthy savings account, you can’t buy back your brand.
3. Brand Damage
This is, by far, the largest cost group. According to Accenture, cybersecurity breaches will cost organizations a total of $5.2 trillion over the next five years. And brand damage is the single most burdening cost area. According to research by Varonis, as few as 6% of people are willing to continue shopping with a brand after that brand has experienced a data breach.
Walker predicts that brand will overtake both price and product as the key differentiator between companies by the middle of 2020. A single breach can cause irreparable damage between you and your core group of customers. Even back in 2017, 70% of people admitted that they would completely drop a brand if they discovered they were impacted by a cybersecurity incident. Given the growth and press surrounding cybersecurity, that number has almost certainly grown over the past few years.
We’re not talking about a temporary loss of revenue here; we’re talking about long-term brand damage that can stall growth for years.
4. Hidden Costs
After a breach, be prepared to spend a horde of gold. You’ll have to invest in PR campaigns, new equipment, new policy frameworks, and possibly even new staff. Most organizations deal with cybersecurity once it becomes “their problem.” So, after a breach, you’ll be dealing with lost revenue, brand damage, fines, and the upfront investment of a robust cybersecurity solution.
What is Your Risk Appetite?
Do you bet it all on red at the roulette tables in Vegas? That’s what you’re doing every day you aren’t investing in cybersecurity. For many larger organizations, the barrier to cybersecurity investment lies with stakeholders. They’re not committed to new systems, or they think the costs of prevention outweigh the costs of protection. They’re wrong.
But when it comes to small organizations, things look dire. According to recent studies, 66% of decision-makers at small organizations still believe that they won’t ever be targeted by hackers. Worse yet, 60% of them have no cybersecurity plan in place to deal with potential attacks.
When CIOs and CFOs think about investing in cybersecurity, they’re really trying to weigh the risks. In a sense, they’re hoping that hacks don’t target them. It’s a game of chance. But, in the long-run, luck runs dry. And it’s far harder and costlier to fix a breach than it is to prevent one.
Cybersecurity vs. Cyber Insurance: Comparing Apples to Oranges
There’s a strange phenomenon happening in the cybersecurity space. 60% of small organizations don’t have cybersecurity systems in place. Yet, 70% of small organizations are in the process of shopping for cyber insurance. In a nutshell, cyber insurance helps pay for costs relating to cybersecurity damages, including things like penalties, fines, and lost business.
There’s an obvious issue here. Cyber insurance is great. Don’t get us wrong. But it only safeguards you against some of the rapid-onset monetary damages relating to breaches. It doesn’t protect your brand’s reputation, and it certainly doesn’t prevent your brand from losing the public’s trust.
So why are so many small organizations keen on cyber insurance? It’s cheap. It’s easy. And they think they can purchase a quick insurance package and pretend that cyber risks don’t exist.
The benefits of investing in cybersecurity solutions upfront far outweigh the benefits of cyber insurance. Preventative medicine is the best medicine. Why risk permanently damaging your brand? Why deal with lost revenue and hidden costs? Sure! Cyber insurance is a convenient monthly payment that helps ease your mind.
But what if you could pay a monthly fee to help prevent cybersecurity incidents from plaguing your organization in the first place?
OSIbeyond Can Help Mitigate Your Cybersecurity Risks
Investing in cybersecurity justifies itself. The costs for a single breach are simply too high to ignore. But what if you don’t have the resources to build a full-scale, on-premise cybersecurity team, invest in the latest tech, and implement all of the right policies?
We’ve got your back. At OSIbeyond, we offer fully-managed security services that will help your protect your data, safeguard your brand’s reputation, and meet compliance needs. Are you ready to stop threat actors in their tracks? Contact us.