The Secrets of Cybersecurity: Is it Worth Investing in Cybersecurity?
Damage to businesses caused by cyberattacks
Cyberattacks have become one of the main challenges faced by businesses during the pandemic. They not only cause financial and operational damage but also affect companies’ business reputation. In 2020, the global economy lost $1 trln or 1% of GDP due to cyberattacks. Compared to 2018, the sum of total financial losses increased by more than 50%.
Cybercrimes have already become a popular service offered on the black market demanded by entities striving to cause damage to their competitors. In the United Kingdom, the number of committed cyberattacks reached 686,000 in 2020, 1 attack took place every 46 seconds. The increasing scope of cyber threats during the pandemic is not accidental. Companies had to accelerate the digital transformation of their business models and, taking into account the lack of time, they have often neglected or not paid enough attention to cybersecurity. According to Microsoft, only for the first 2 months of the pandemic, the world observed the scope of digital transformation that under normal conditions would have taken at least 2 years.
Cybercrimes have become widespread in modern business. According to McAfee, only 4% of companies have not become the victims of cyberattacks for the last 12 months. Thus, 96% of companies experience attacks on their servers or data and even when they manage to prevent direct financial losses from such crimes, they suffer from lower productivity of their employees due to cyberattacks and their negative impact on the effectiveness of work time distribution. Cyberattacks focused on stealing intellectual property and espionage are the most dangerous forms of cybercrimes for companies and what is more, such cyberattacks are often accompanied by the request of ransom. Close to ⅔ of all material losses experienced by companies due to cyberattacks are associated with financial crimes and the loss of intellectual property. The average time companies need to spend to address the issues caused by cyberattacks equals 18 hours, however, to return to the efficiency of work demonstrated by victims before a cyberattack they need to spend much more time.
The average sum of damage to SMEs caused by a cyberattack amounts to $133,000, however, when taking into account large companies and corporations, this figure may reach $380,000. The main opportunity costs caused by cyberattacks are related to lowered expenditures on R&D, business behaviour aimed at risk-avoidance, and a dramatic increase in expenditures on cybersecurity. As a result, the companies that have experienced a cyberattack tend to more thoroughly analyze the opportunities for business development and, thus, avoid making risky decisions that could potentially result in their rapid growth.
In the globalized business environment, one of the main corporate assets is customers’ trust. Companies’ failure to prevent cyberattacks affects their business reputation. According to PWC, 87% of clients are ready to cease cooperating with a company when they are not sure whether it can securely store their data. As a result, apart from direct short-term financial losses, companies that have fallen victim to cyberattacks may also lose their main sources of revenue in the long-term perspective. Upon becoming a victim of cyberattacks, a company loses its attractiveness for job seekers and, thus, its competitiveness in the market may dramatically decline. When during a cyberattack hackers succeed in accessing clients’ private data, the affected company also faces legal pressure and may be forced to pay fines or regulatory authorities may deprive it of the right to do business in the future.
Generally, according to the estimates made by IBM, the average sum of losses experienced by companies due to data breaches amounts to $3.86 mln. Thus, cyberattacks against companies force them to increase expenditures while affecting their revenue streams so that businesses lose their profitability and are forced to mitigate the scope of business activity or even exit the market.
Mechanism and costs required to implement cybersecurity solutions
The companies that are market leaders in terms of the implementation of cybersecurity solutions pay significant attention to cyber attack detection and response speed. According to Accenture, when implementing new cybersecurity development instruments, the leading companies focus on providing training to employees on the basic rules of work with these instruments. 30% of executives from the leading companies said that they conducted special training for more than 75% of employees. More than 50% of the companies-leaders actively cooperate with strategic cybersecurity partners by regularly ordering security testing services.
In terms of the allocation of the cybersecurity budget, 39% of the companies-leaders note that they prioritize increasing the efficiency of the existing security solutions. The reason behind this decision is the optimization of financial and time expenditures associated with the permanent search for and testing of new security solutions.
To minimize potential expenditures caused by cyberattacks companies need to contribute their efforts and resources to digital security development. To address cyber threats businesses need to follow basic security rules as well as develop highly technological digital security strategies. Full information on the methods used by companies to protect themselves from cyberattacks you may find in the previous publications made by Hacken. That is why let’s only look at the examples of basic mechanisms applied by companies to address cyber threats:
- Creation of key files’ backups to mitigate the potential damage caused by ransomware attacks;
- Installation and regular update of security software to address known digital threats;
- Regular scanning of all devices connected to the corporate network and the prohibition to use unverified portable devices;
- Сonduct of regular training and courses for employees to teach them basic cybersecurity rules;
- Сontrol of access to accounts and databases;
- Regular security scanning of corporate products by conducting pentests and participating in bug bounties.
In 2020, according to Deloitte, the average sum of cybersecurity spending by companies operating in the finance industry amounted to 11% of their IT-budget or 1/200 of their annual revenues. When speaking about total cybersecurity spending per 1 employee, then this indicator equals $2,700. The analysis of cybersecurity spendings of financial companies is important since this industry is a very lucrative target for cybercriminals due to the high volumes of accumulated financial resources and information. However, every company, depending on its specialization, should set up its own cybersecurity budget parameters. The companies operating in the sphere of finance, construction industry, healthcare, and IT sectors need to have the biggest cybersecurity budgets taking into account the level of security risks they face. However, it is important to consider not only the amount of money allocated to cybersecurity but rather the efficiency of its use.
One of the ways to form a cybersecurity budget is the analysis of data provided by the companies operating in the same industry or associated sectors in their corporate statements. It is also important to realize that when the company’s activities are associated with the processing of large volumes of confidential information, then its failure to address cyber threats may result in sanctions imposed on this company under the documents governing the work with data such as the General Data Protection Regulation (GDPR). According to this document, financial penalties may be imposed on the company in the sum of €20 mln or 4% of its annual turnover, whichever the sum is bigger. Therefore, the higher the level of potential financial penalties that may be imposed on companies for their failure to prevent data breaches, the higher the percentage of their IT-budget they need to allocate to cybersecurity.
An effective way for companies to become resistant to cyberattacks is the conduct of regular penetration testing (pentests) and the running of bug bounty programs. To this end companies use the services provided by the cybersecurity companies such as HackenProof, one of the projects within the Hacken Ecosystem. The cost of a pentest is not fixed and depends on the scope and complexity of work as well as the pricing scheme applied by the company performing the testing. For most companies ordering a pentest, its price starts from $10,000. The price of a bug bounty program run on specialized platforms starts from $10,000-$15,000 while the reward paid to independent white hat hackers is determined by the companies ordering a bug bounty program. Generally, by adding the expenditures associated with conducting a pentest and running a bug bounty program we can conclude that companies can minimize the risks of being hacked and lose data by spending close to $50,000 on cybersecurity that is at least 3 times less than average losses caused by cyberattacks.
Overall, investments in cybersecurity are one of the most effective strategies to prevent financial losses at the result of cyberattacks. The company whose reputation is not damaged by numerous accidents involving the loss of customers’ data or assets will be able to increase its potential revenues. Investments in cybersecurity are one of the most reasonable ways for companies to ensure their smooth functioning at the time of global business uncertainty.