by Paul Crighton, Managing Director at Barracuda Networks
Cyberattacks that involve high profile targets and big numbers invariably make headlines. A recent example is United Healthcare’s $872 million cyberattack. But while the reporting of such incidents helps to raise awareness of the harm cyberattacks can do, it may also create a false sense of security among smaller or less well-known companies that find it hard to believe anyone would spend time or money targeting them.
Just over a third (35%) of small business IT security professionals surveyed for a recent international study worry that their senior managers don’t see cyberattacks as a significant risk. They are right to be concerned. IT security pros know better than anyone that every business can be hit by cybercriminals, and it doesn’t matter whether the attack is deliberate and targeted, a “spray and pray” mass attack or just sheer bad luck. You need to be ready for anything – from anywhere.
For example, the spear phishing emails that preceded the 2018 Olympic Destroyer attack on the Pyeongchang Winter Olympics, hit several completely unrelated companies whose domain names resembled the targets’. These included a wood company in Slovakia and a real-estate office in Germany.
When talking to business leaders about security risks, it is important to take a step back and consider why any of them should give up their time to listen in the first place.
Cybersecurity is a business issue
Most organisations don’t want to fail. They want to thrive, grow, and expand. This requires a solid financial foundation, with robust resources, investments, and investor trust. A security breach will disrupt all of this.
Security breaches can be expensive to deal with and fix. Our research found that for Australian organisations, the average annual cost of dealing with cyber-compromises was $2.7 million USD. This includes $1.7 million for the theft of IT assets, damage to infrastructure, incident investigation and remediation activity and a further $1 million for the cost of downtime and the resulting lost productivity and operational disruption.
And that’s not all. According to the Harvard Business Review, listed companies experience an average 7.5% reduction in stock market value after a data breach, and this takes around 46 days to bounce back if it ever does.
Further, audit fees, borrowing fees and insurance premiums all increase in the year following an incident, while company performance declines by around 9%. There are likely to be liability and compliance penalties for any failure to meet service level agreements or regulatory guidelines, not to mention reputational damage and mistrust among customers.
Security professionals need to be able to explain how these financial and organisational risks can be mitigated by understanding and addressing cyber risk.
| Business priority | Potential impact of a cyber incident
|
| Growth strategy: product and service roadmap, new initiatives
|
Cyberattack resulting in exposure or theft of intellectual property |
| Business resilience: continued operations and reliability
|
DDoS (Distributed Denial of Service) attack disrupting commercial activity
Downtime |
| Financial status: revenues, reserves, cash flow | Cost of responding to and recovering from an incident
Penalties for compliance violations
|
| Reputation and customer trust | Loss of PII (Personally Identifiable Information) eroding customer loyalty
Damaging PR
|
Breaking down communication barriers
Over half of the Australian organisations surveyed (53%) feel their organisation’s cybersecurity budget is inadequate. However, a quarter of all respondents admitted their leaders are not kept up to date about cyber threats facing the organisation. This creates a situation where leaders may not be aware of the risks they are facing, and the resources required to properly address this.
Therefore, security professionals must get better at explaining to leaders the threats the company faces today and is likely to be facing tomorrow. Otherwise, there is a risk that the business will fall victim repeatedly to cyberattacks, especially if the company hasn’t fully addressed the root cause of previous incidents. Our research found that over two-thirds (70%) of Australian organisations experienced one or more ransomware incidents in the last year.
Security is a journey
Convincing business leaders to care about cyber risk and resilience is not a one-off task. Cyber threats are evolving all the time, and so are the associated risks and impacts.
Globally, most respondents said attacks had become more sophisticated (61%) and more severe (54%) over the last year, taking longer to recover from and fix.
At the same time, many organisations face a skills shortage in professional cybersecurity skills, struggle to navigate an increasingly complex landscape of security tools, need to prioritise resource allocation, and develop and continuously update their incident response plan.
Conclusion
Business leaders need to believe that cybersecurity will help the company to keep going in a world where cyber incidents are common, unpredictable, and potentially destructive. If they understand why security matters, they will be better placed to understand what needs to be done.
The good news is that most business leaders get it. They understand why cybersecurity is important, but also face difficult choices in terms of prioritising budget and resources. There are trade-offs to be considered, for example between the pace of product development and security checks and integration.
Cyber resilience depends as much on people as it does on technology. A security-focused company culture needs leaders who are on side and understand the risks and solutions. An engaged risk-literate leadership is one of your most powerful tools for ensuring policies, programs and investments succeed.
