September
6th,
2019
At a time when Cyber-crime tools are getting significantly more advanced and sophisticated, a wide range of organizations across industries still see cybersecurity as a significant financial cost rather than a competitive/operational advantage. As we make the case for spending on cybersecurity, we experts speak of possibilities and probabilities. If one uses the traditional ROI methodologies, then it is easy to poke holes or play devil’s advocate in any argument/discussion on cybersecurity spending. We experts need to change the way cybersecurity is perceived/positioned. Below I describe some of the top cybersecurity threats, their effects on organizations and potential positioning.
Top Cybersecurity Threats
·Malware: Malware is a significant tool in the cyber-criminal’s arsenal. This nefarious software, whether they are: viruses, spyware, keyloggers or worms, are intended to perform a variety of different functions such as stealing, encrypting or deleting sensitive data, altering or hijacking core computing functions and monitoring/spying on users.
Positioning:
§ What is the cost to the organization of: lost data, downtime and lost productivity?
§ Quantify by calculating the real cost of losing key system(s) and being down for a day, week or month?
Phishing: In a global survey, 56% of IT decision makers say targeted phishing attacks are their top security threat. It’s a Cyber-crime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure employees into providing sensitive data like banking and credit card details, and passwords.
Positioning:
§ What is the cost to the organization of paying fraudulent invoices, or providing banking data to a criminal enterprise?
§ Quantify by determining the typical size of invoice that would fly under the radar and be paid.
Ransomware: Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid
Positioning:
§ What would your organization be willing to pay to unlock key files or systems?
§ Quantified above “the real cost of being down”.
§ What is the cost to the organization of a public exposure of customer or employee PII (personally identifiable information)?
§ This is harder to quantify and organization specific but requires you to determine the worst-case data exposure and its effect (dollars) on the organization.
It should be noted that the “Average total costs of a data breach also varied heavily between countries with the United States the hardest hit. In 2018, an average incident costs U.S. firms $7.91 million while in Canada and Germany, the impact is lower at less than $5 million”
This is not to say that a company should spend unfettered dollars on cybersecurity but there should be a budget that is realistic and proportional to the risk raised. The sample questions raised above help put a value to the risk to determine proportionality. A successful cybersecurity program is also shaped by the perception of its importance and hence the role of “CISO” whether it be a dedicated employee, or a virtual resource should report to the CEO and the CEO should espouse the benefits/virtues of security.
While some accountants see cybersecurity as a black hole for dollars with questionable ROI, it is important to shift the mindset and present/position quantifiably cybersecurity as an indispensable part of a business that can keep it competitive, trustworthy and operational.