Recent headlines demonstrate that data breaches are having a far more negative impact on the bottom line than anyone could have imagined, especially for publicly-traded companies. Record-breaking regulatory fines, mounting litigation costs and downward trending stock prices are real financial concerns and business risks.
Large data breaches cost an average of $347 million in legal fees, penalties, remediation costs, and other expenses, according to a report that analyzed the data breaches among public companies. There seems to be no end or limit in sight for some. Financial analysts estimate that Marriott’s data breach will cost the company a whopping $1 billion. And there is still more to learn over time.
A recent study on cyberattacks and stock market activity found that data breaches create a negative shock to a firm’s reputation and its future growth prospects. After a cyber breach, companies likely suffer a short-term hit to share prices, and in the long run, pay lower dividends and invest less in research and development, leading to a loss of competitive edge.
The stakes are clearly high and long term, but across most industries, all signs point to cybersecurity being under-resourced in both staff and in technology. In fact, after any significant public breach, it is usually always followed by a major uptick in spending on much needed cybersecurity tools and people.
As Capitol Hill, Wall Street and Main Street keep watch over companies that have data breaches, it requires CEOs, CFOs, CISOs and CIOs to put cybersecurity on the top of the agenda, and rightsize their investments to prevent breaches from happening in the first place.
Cybersecurity spending trends
The good news is that companies are taking notice, and cybersecurity spending is on the rise. In fact, data from IDC shows that global spending on cybersecurity solutions is anticipated to top $103 billion this year alone, which is an increase of 9.4% over 2018. And they expect that rate of growth to continue for the next several years companies increasingly invest in security solutions.
But oftentimes, companies don’t know the right mix of cybersecurity products or how much funding to allocate and haven’t matched their spending according to cybersecurity risks. For instance, web application vulnerabilities are the No. 1 cybersecurity risk for several years, yet only 3% of spending in IT is going towards web application security. Other common reasons for data breaches include phishing, malware and insider threats.
Building a cybersafe business
While threats will most certainly continue to evolve with increasing sophistication, organizations must take a proactive and continuously vigilant approach to plan, prepare, fund and defend their company against cyberattacks. And this will require everyone’s collaboration.
As budgets are mapped out for 2020 over the next few months, senior leadership may consider the following to ensure they’re doing everything they can to ensure a cybersafe company and minimize risk:
- Regularly re-assess your risk: Security officers should be encouraged to conduct comprehensive audits on an annual basis – or as often as the business deems necessary – to identify the biggest threats and security gaps, and then prioritize needs according to risk. It’s important to align assessments with business changes and disruptions. For instance, acquiring new firms introduces new security risks that have been outside the company’s control. Thorough investigations should be conducted as the business grows, adds new lines of revenue, introduces broad technology changes or reduces company headcount. On the flip side, redundant technologies can also be reduced if possible.
- Foster collaboration between CISOs and executives: Strong partnerships between cybersecurity and business executives can lead to a clearer understanding of the threat landscape, the impact to the business and the right level of resources needed for a stronger posture. CISOs and team members should attend business planning meetings often to help identify new risks and keep lines of communication open regarding what can and should be done as business changes go into effect.
- Consider an outside perspective: To analyze and assist with security budgets, risk management, technologies, and staffing, consider bringing in an external perspective. While every business and risk profile is unique, independent consultants can provide benchmarking against peer institutions, offer deeper security expertise and another viewpoint for consideration.
- Consider cyber insurance: Cyber insurance policies are available to provide a company with the necessary assistance to deal with the investigations, lawsuits or privacy violations that may have resulted from a data breach. It’s important to re-evaluate policies over time according to the latest risks and market activity to see if larger policies or broader coverage are needed.
- Invest on the inside: Assess current management programs and technologies that help minimize insider threats through user behavior monitoring and employee education. Ongoing training on company policies, best practices for secure data management, as well as ways to prevent ransomware attacks can go a long way. There is also an opportunity to teach employees to identify and report potential internal breaches.
It’s clear that cybersecurity is becoming everyone’s responsibility, and leadership must approach it with the same fastidiousness of the most important business initiatives. Afterall, in today’s business climate, cybersecurity is important to future survival. If your business is not proactive, it could mean the difference between becoming an industry darling, or facing a potential downward spiral.