The true cost of cyber protection

According to IBM’s Cost of a Data Breach Report 2022, the average cost of a cyber attack in the UK stands at $5.05m.

For many organisations, such a hit could cause irreparable damage, both financial and reputational. It is therefore unsurprising that for the past decade, cyber security has become increasingly prominent in a CFO’s agenda.

But how do CFO’s know how much to spend protecting their organisations from these potential attacks?

“Fear, uncertainty and doubt is often used to convince a CFO that they need to spend millions on cyber-security protection, but how does a CFO know if they should spend that much  money when the risks are so intangible?” asks Will North, chief information security officer (CISO) at software company MHR.

Quantifying the impact

Today, there are countless tools and software designed to prevent security breaches.   From employing AI to firewalls, web proxies to email security, and web application firewalls to endpoint detection and response (EDR), CFOs can quickly find expenses spiralling as they  bid  to protect their organisations.

However, by prompting their CISOs to accurately quantify the impact of a security breach, CFOs can find the right balance between costs and risk.

North explains how: “They need to be asking questions like: how secure are we currently? What is the potential financial cost of a breach? How much are we currently spending on security? Where would additional spend be best focused to provide the biggest risk reduction? How much insurance do we have and what does it cover?”

“They should also look to quantify the return on investment from security tools to show that they are getting value for money,” North adds.

Consider all the consequences

Cyber risk quantification – measuring cyber risk exposure in financial terms – is a relatively new area in cyber security, but it can be used to allocate resources in a way that achieves the maximum impact.

When conducting cyber risk quantification, there are several consequences to consider.  This can include the operational and financial impacts of a cyber attack. For example, for an online retail company, this entails calculating the cost of its website being taken down – and the difference between an average day and special events, such as Black Friday. For a manufacturing company, it involves assessing the cost of bringing factories to a halt each day until operations can resume.

In the event that personal data is lost, regulatory fines can reach millions, as well as the costs to support anyone who has been affected by the breach (e.g. credit monitoring costs). There could be further costs as well, should any legal action be taken and if there are regulatory fines to pay.

Having a major data breach could also delay future sales and even block new business. “It may be the case that in the first year, 50% of businesses decide to not use your organisation, so there is a tangible impact of lost sales and lost sales pipeline. In the second year, it could be a 25% loss of  sales, and by the third year, maybe 10%,” says North.

As such, pinning down the figures for all potential outcomes are vital for a CFO to evaluate the risk compared with the cost of robust protection against such an attack.

Outsourcing

Despite such heavy concerns, CFOs still have a budget to stick to when it comes to their cyber security.

One way to help reduce costs is through outsourcing. Managed services providers, for example, can deploy the best and most expensive toolsets for their customers, as they are able to spread the cost over their client base. This means that organisations receive the most advanced security for a fraction of the price.

“MHR’s security team uses industry-leading security technology to protect its customers’ data,” North tells The CFO. “That cost for one organisation is big, but if you outsource it to a specialist…it is included in the cost of the service.

“We appreciate that for customers data security is paramount and our HR, payroll and finance platforms are designed and built with security as priority which gives confidence and also adds an extra level of security which organisations may not have been able to invest in themselves.”

Today, organisations must contend with the threat of a cyber attack at any time that could cost millions upon millions. What is perhaps most challenging is that the nature of such threats is constantly evolving, particularly thanks to the astounding rate of technological development.

Regulations are ever-changing in a bid just to keep up – yet another factor that organisations must stay keenly abreast of if they manage their cyber security in-house.

As such, organisations are left with challenges coming from all fronts. Fortunately, when a CFO is armed with all the information they need to understand the risks present, they can make astute decisions about how much to spend – and where to spend it – to protect their organisations fully and make the most efficient use of their budgets.

Comments are closed.