5 Fatal Risk-Assessment Mistakes About Cybersecurity That Could Cost You Your Business
Businesses are spending more than ever before on cybersecurity solutions. But the costs and losses attributable to cybercrime—attacks, breaches and the resulting damages—are also on the rise.
CEOs, CIOs, and budget-conscious investors are all asking: are the products and services available today worth their cost? Would it make more sense just to pay off the hackers? Are proactive approaches truly effective?
In IDG Research’s 2017 State of U.S. Cybercrime Survey, 68 percent of respondents indicated that despite spending more, their monetary losses due to cybersecurity events were the same or greater than the previous year.
6 percent fewer businesses reported no losses, and the number of events resulting in damages increased.
Researchers at Cybersecurity Ventures predict that cybercrime will continue to increase in the coming years, and that by 2021 will cost global businesses more than $6 trillion annually.
Given statistics like these, and faced with tight budget constraints, it’s tempting for business leaders to conclude that their investments in cybersecurity are simply not worthwhile.
But before drawing such conclusions, you need to conduct a risk-benefit analysis.
To do so accurately—and with confidence—you must be able to translate the dangers you face into quantitative terms. And this is where many decision-makers fall short.
So here are the FIVE most serious misunderstandings we see executives make when choosing a cybersecurity solution in today’s risk environment.
Mistake #1: Failing to understand the relationship between your investments and your risk
The threat landscape is ever-changing, with the most advanced adversaries shifting tactics daily to ensure they’re using the techniques that give them the best results.
This means that your business’s cybersecurity investments actually have a direct impact on attacker behavior.
In other words, if you don’t actively prevent a tactic’s use, it will become more popular.
This pattern can be seen in the explosive recent growth in ransomware attacks. SonicWall recently reported a 229% increase in this type of attack from 2017 to 2018.
Taken together, ransomware’s total costs have spiraled into the billions, and are likely to grow further as threats become increasingly strategic, targeted and sophisticated.
If even a small percentage of victims pay the ransom, threat agents are strongly incentivized to continue to develop and deploy more ransomware, and to target increasing numbers of organizations.
And if it becomes widely known that one-third of companies would be willing to pay up, we can expect to see exponential growth in the number of attacks.
Mistake #2: Not taking intangibles into account
Although damage to brand image and reputation is of major concern to most cyberattack victims, it is notoriously challenging to express these losses in financial terms. But in any industry with significant competition, customers lost because they no longer trust you in the wake of data compromise will almost certainly never return.
Other potential costs, too, are frequently ignored in cybersecurity risk calculations.
Would your cybersecurity insurance premiums increase?Or might your insurer even refuse to pay out if you were shown to have neglected your responsibility to follow best practices?What would it cost to replace top talent if high-level employees resigned in the wake of the incident?And what damage would be done to your relationships with other vendors or business partners?
Mistake #3: Thinking that an “honor among thieves” mentality still prevails among attackers
A few years ago, some experts advocated paying the ransoms demanded by cybercriminals, arguing that most would decrypt or relinquish or return control of your files once paid.
Real-world data belies the wisdom of this approach, however. In a recent research report by the Cyber Edge group, only 19% of the victims who paid actually got their data back.
Some criminals never intended to return the data, while others—through ineptitude or poor coding skills—find themselves unable to fulfill their promises to decrypt the files.
There’s simply no way to be certain that paying a ransom will restore your data.
Mistake #4: Trying to predict the costs of a ransomware attack
With so many attackers now demanding payment in Bitcoin or other cryptocurrencies, it’s becoming increasingly difficult to estimate—in dollars—how much a ransom might actually cost you.
Bitcoin’s price volatility is famous, with its value against the U.S. dollar having changed by as much as 10x over the course of several months. And other, newer cryptocurrencies are no more stable.
Furthermore, it’s almost impossible to guess how much ransom an attacker might demand.
In one recent market survey, the median cost incurred by businesses that had fallen victim to ransomware attacks was $133,000, but the range of possible costs was enormous, with a low of $13,000 and a devastating high of $13.3 million.
Mistake #5: Believing that your business can survive an attack
Leaders of small and medium-sized businesses sometimes assume that their organizations are immune to cybersecurity risk because their profiles are too low, their revenues too small or their operations too insignificant.
Nothing could be further from the truth.
In fact, because they are perceived as low-hanging fruit, SMBs are increasingly becoming adversaries’ favorite targets. In 2017 more than 20% fell victim to cyberattacks.
And among victims, smaller businesses are the most likely to fail in the face of an attack.
Lacking the critical infrastructure and resources needed to recover, 60% of victims will simply close their doors within six months of a major security breach.
To truly protect their businesses, leaders must consider whether their current cybersecurity investments are adequate for today’s complex threat landscape.
It is difficult—but not impossible—to estimate the risks holistically and quantitatively.
But doing so is the most important step you can take to ensure your organization’s ongoing survival.
I'm Stanley Li, the CEO of Netswitch Inc and I have a question for you. “If I could guarantee to reduce your IT security costs and cyber security attack risk by up to 86.5%, would you be interested?“ If so, simply connect with me on LinkedIn and I'll send you more details.