According to Accenture’s 2017 “Cost of Cybercrime” report, the cost of cybersecurity increased 23 percent in 2017 from the year before. Much of this cost is attributed to the increased frequency and cost of cyberattacks, which, according to the research, on average cost $1M in damages a piece.In order to avoid the costs and damages of suffering a cyber breach, businesses need to create a comprehensive and well-informed security budget that considers their primary security vulnerabilities and helps to strengthen their defenses. This article breaks down information and cyber security costs into two main categories—compliance and recovery—and provides an approach for businesses to best budget for security using these two cost categories as a guiding framework.
Distinguish Between Compliance and Recovery CostsThe first step in creating your security budget is to distinguish between the two main forms of cost associated with security, compliance and recovery costs. Compliance costs are preventative expenses accrued from fulfilling the terms of security policy or regulations. Compliance costs are mostly associated with preventative measures such as firewalls, security software investments, and training programs for employees. Compliance costs are mostly budgeted, and the amount of compliance cost a business includes in its budget ideally results from deliberation among decision-makers as to where security resources should be best distributed. Recovery costs are expenses caused by security issues. Recovery costs are a broad category that include all cost and damages that result from a breach or attack including theft, ransom, lost business, and public relations to for reputation recovery. Budgeting for cyberattacks is incredibly difficult given that the cost of damages depends on various factors like the severity of the attack and whether your business has a recovery plan in place in the case of an attack. Between the two, compliance is obviously preferable both because it is planned cost and generally cheaper than recovery. According to Globalscape, the cost of non-compliance, or the consequence of failing to abide by regulations and policy, significantly outweighs that of compliance, or the cost of following of regulation and policy. It is not guaranteed that higher compliance spending will definitely result in lower recovery costs. However, higher compliance spend puts your company in a better position to avoid recovery costs.
Use an Audit as the Basis for Security BudgetBefore you devote any amount of resources to security, your business needs to conduct an audit of all security endpoints within your company infrastructure to determine what the focus of your budget should be. Conducting an audit allows for your company to understand your primary vulnerabilities and which controls to target as security investment priorities. For example, if you discover through an audit that your business experiences the most security red-flags from poor network management (i.e., employees failing to consistently use VPNs outside of the office), you can format your budget to address shortcomings in network access, like reconfiguring devices to only access company systems through VPNs or secure networks.
Factor the Security Talent Gap Into Your Security BudgetThe cyber threat landscape entails two security realities that all companies need to be aware of when formulating their budget. The first is the cybersecurity “talent gap,” or the lack of qualified cybersecurity talent that exists in the current market. The second is the cold reality that as cybercriminals multiply and advance technically, the likelihood that your company experiences a cyberattack increases. Each of these problems is especially severe because both currently lack a definite solution. At the heart of the cybersecurity “talent gap” is the fact that there is a “gap” between the supply and demand of capable cybersecurity employees—you can’t magically create talent to fulfill your needs in this area. In addition, there is very little that can stop the spread and advancement of cybercriminals, particularly in a globally connected world where many attacks originate outside of the regulatory bounds of victimized companies and organizations. These two threats are also mutually reinforcing: a lack of cybersecurity talent increases the likelihood that your company suffers a cyberattack. Research from the Information Systems Security Association (ISSA) shows that a shortage of adequate cybersecurity talent has in fact contributed to an attack for about 20% of companies. In addition, the report finds that the security skills gap is especially large in the area of security analysis, which makes it all the more difficult for companies to identify their most vulnerable areas and effectively target their security investments. Given this environment, your business should factor the cybersecurity skills and talent gap into your security budget. Faced with a lack of knowledge on how to properly budget for security, look to external resources like cybersecurity companies and consultants for guidance in the process. While these resources obviously come with a cost, the initial investment in expert security analysis could ultimately save you a good deal of money down the road in avoidable recovery costs from a cyberattack.
A Well-Informed Budget Creates a Strong Cybersecurity PolicyAfter a year scarred by large-scale cybersecurity incidents, security budgeting should be a major focus for your business for 2018. In order to properly prepare for the security threats your company will face in the next year, you need to create an informed security budget. To budget accordingly for security, your business should consider the two main types of costs associated with security: compliance costs and recovery costs. To effectively budget for compliance costs, your business needs to understand the severity of the current cyber threat landscape. Conduct an audit to discover your largest security vulnerabilities and direct budget dollars toward strengthening those shortcomings. In addition, your business needs to take a pragmatic approach and budget toward recovery costs. The more common cyberattacks become, the more likely your business will eventually be a victim. Your business should have a budget for recovery costs in the case of a cybersecurity breach or attack. Having resources to tap into in the case of an attack softens the blow to your company that comes with an attack. Creating an informed budget allows for your company to create a strong cybersecurity policy. A strong policy is built from informed security investments controls and an educated and prepared workforce. The better your security budget is designed, the safer and better prepared to address outstanding cybersecurity threats your company is.