Top Cybersecurity Myths: The Cost of Security Is Too High
MYTH: The cost of investing in security is too high.
It’s a fact that the average organization’s information security (InfoSec) function is not income-producing. And you may find yourself struggling to justify InfoSec-related expenses — whether for a new tool to provide enhanced monitoring, the salary for a dedicated Information Security Officer, or expenses for an IT/InfoSec audit.
However, while security requires financial resources, it’s a myth to think that the cost of security is too high to justify. With the use of connected devices, which will continue to increase, and a rise in remote work, the risk of a breach is only growing. For most organizations, control failures, incidents, breaches, phishing attacks, and other cybersecurity issues are not a matter of “if” but “when.” And “saving” money by neglecting to invest in security now can cause significant financial loss in the future.
Let’s investigate why this myth is unfounded.
The average cost of a breach is high. And small organizations are disproportionality impacted.
The 2020 Cost of a Data Breach Report from IBM Security and the Ponemon Institute found that the average total cost of a data breach was just under $4 million per breach globally. The country with the highest average cost was the United States at $8.6 million per breach, and the healthcare industry had the highest average cost at $7.1 million per breach.
But the study also found that small organizations typically had a significantly higher average cost per employee and were also more at risk of not recovering from a breach than larger organizations.
When considering how your organization could be affected, an important takeaway from this study is the average cost per lost record. In 2020, the average cost per lost record was $146. While this may not seem like a lot, consider how many records your organization has, such as records for donors, patients, members, clients, and other constituents. With a breach of 1,000 records, this is a cost of $146,000. Extrapolate that to 5,000 records, and you are now looking at a breach expense of $730,000. There is so much data within most organizations, and the cost of a breach can quickly reach a significant level.
Ask yourself: How many records does our organization have? Would we be able to recover if a breach affected these records?
The cost of a breach can be reduced with controls.
Breach costs are not one-time costs, and the study also found that most organizations were affected multiple years after the initial breach. However, implementing mitigating safeguards resulted in lower overall breach costs. And organizations that identified the breach more quickly than others experienced significantly reduced costs. Therefore, resources you devote now to increase preventive, detective, and response controls can minimize the short-term and long-term financial impact on your organization.
In addition, many cybersecurity controls can increase the efficiency and effectiveness of existing processes. For example, a centralized monitoring tool may allow your IT staff to more effectively monitor the patch and anti-malware management processes. So while there is an upfront cost to implement that tool, your staff will have added time savings that will allow them to devote their expertise to other critical functions, such as incident identification.
Ask yourself: Does the upfront cost of investing in the tools and resources to empower the cybersecurity of our organization outweigh the risk and cost of a breach?
You can’t put a price on your reputation.
The loss of reputation can be a significant cost for organizations. If you have a cyber issue that results in a breach of sensitive donor, client, patient, or employee information or a loss of funds, your constituents may lose trust in your organization.
Those you serve may turn to organizations that they feel can better protect their information. Donors may take their donations to organizations they feel will protect their information better. Donors may also take their donations elsewhere if they feel another organization is more likely to be able to use their donated funds for the mission rather than losing it to hackers. The loss of future revenue streams can have a significant impact on an organization’s ability to continue.
Ask yourself: Does the cost of investing in security now outweigh the risk of my organization being unable to complete its mission due to loss of reputation related to a breach?
It cannot be denied that the cost of a breach is high. And unfortunately, it’s a reality that many organizations do not recover from breaches and instead close their operations. That’s why it’s important to view security controls as an investment. With this mindset, you’ll likely find the upfront cost for preventative, detective, and response controls significantly outweighs the potential impact of an incident.
We understand that many organizations are facing financial challenges during this time of unanticipated challenges. Watch our recorded webcast on “Managing Cybersecurity Concerns Under Budgetary Constraints” for steps you can take to address cybersecurity gaps while facing budget shortfalls. The recording is available here.
Allison Davis Ward
Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.