You implement technology to increase productivity, grow market share, hold onto your market, improve customer loyalty, and comply with regulations -- among other reasons. When it comes to cyber security investments, however, things can quickly become complicated.
Cyber security attacks threaten your organization. To determine what is vulnerable, how vulnerable it is, and how much to budget for cyber security questions, you need to get some answers.
Attack Risk/Impact
Assessing the risks and impact of attack can be challenging. In doing so, you may find that there are vulnerabilities in areas of your organization that you never considered. Some of the questions you should be able to answer for your CEO are:
- How could a cyber security attack affect the functions of your organization such as your business, your providers, contractors, public relations, reputation, and even your human resources?
- Since cyber security threats pursue information, what trade secrets, customer data, or other information is critical to your organization’s operation?
- Are there regulatory requirements your organization must comply with, such as GDPR, PCI, CCPA, and HIPAA?
- How was the risk assessment performed, what did it cover, and what was not analyzed for risk?
- How can your organization deliver a long-term resilient IT infrastructure to minimize cyber security risks?
- Are there any information sharing practices that your organization has or is considering adopting in the future that could make you vulnerable?
- What are the financial liabilities, internal and external, if an attack occurs?
- How many of your organization’s departments and their resources are protected by the security efforts? (e.g. customer database, finance but not HR)
- What is the threshold for notifying CXOs when an attack has been detected?
- How does the organization measure security, and are these measures meaningful?
- How thorough are the incident response and business recovery plans?
- How much is the organization willing to pay for cyber security?
Possible Causes
There are many possible sources and causes of cyber security attacks. Some attacks come from external perpetrators.
The objective of an externally generated cyberattack is to collect credentials that allow the attacker to move throughout the network and applications. Once attackers are inside your infrastructure or your cloud services, they can steal confidential data and/or use your IT resources.
There is an arsenal of advanced attack tools that can be continuously and repeatedly launched at an organization. Although there are tools to detect and prevent these attacks, there will always be pressure on security teams to combat sophisticated cyberattacks that they’ve never seen before. Don’t forget that IT employees may solve a problem by tweaking software and can turn off security functions without knowing it.
There are also internal attacks; some are malicious, some are negligence, others are related to poor employee behavior. Several surveys have concluded that as much as half of cyber security incidents are due to internal user behavior. These include:
- Angry employees who deliberately seek to sabotage
- Employees who have left the organization but their access credentials were not terminated
- Users accessing websites that download malicious code
- Poor password creation and management that lead to unauthorized access by malicious parties
- User mistakes/negligence
- Using unsecure networks when not on the organization’s network
- Installing unauthorized applications on the user’s computer, tablet, or smartphone
Cost to IT
The tools and staffing required to mitigate these attacks are a cost to IT, but the protection techniques benefit the whole organization. There are two main cost elements: what you are now paying for, and what you need to pay when an attack occurs. The IT costs include:
- Hardware and software for attack detection and prevention
- Privileged access control and monitoring
- Security staff
- Incident response team
- Security consultants
- New security tools
- Working with cloud service (where applicable)
- Increasing security audits
All of these costs are part of the IT budget. Add up these costs and divide them into existing costs and costs directly related to the attack. The second group of costs that are due to the attack (probably a range, not an absolute number) are penalty costs due to insufficient security investment by IT.
Cost to Non-IT Units
The various units in the organization have to quantify their costs if an attack occurs. This quantification can be used to determine the IT budget for cyber security. When an attack occurs, there will be costs associated with the organization’s response to the attack. Non-IT expenses will include:
- Loss of organization productivity
- Marketing and sales efforts to rebuild reputation
- Unsold product and/or service revenue losses
- Marketing and sales efforts to regain revenue and profit
- Customer notifications
- Human resources work due to employee turnover in response to attack
- Retraining users in security best practices
- Legal fees to evaluate the organization’s liabilities
- Fines and penalties for non-compliance with regulations
Most of these costs will have to be determined by non-IT departments. It’s likely that you will be provided with a range of costs -- not an absolute number -- because many of the costs will be estimates.
Budgeting for Cyber Security
The big challenge with security investments is determining how much is enough. Too little and your organization is open to attacks. It’s hard to determine when you spend too much. Budgeting for security should start with quantifying the potential cost of an attack.
Separate the cost ranges into:
- Existing IT investment
- Attack response IT costs
- Non-IT costs
Evaluate existing IT investment expenses and compare them to the sum of attack response IT costs and non-IT costs.
Investing in cyber security is like buying insurance. You will know when you have too little insurance. You may never know if you bought too much insurance. Cyber security investment is a business decision -- evaluating risk prevention vs. risk response. Comparing costs is a way to quantify what the risk vs. investments mean to an organization.
