When talking to IT leadership, one of the most common things we hear is how difficult it can be to justify the investment in cyber security to the stakeholders of the Company.
Let’s face it, Companies invest in technology and expect to see an ROI from operational efficiencies, increase market share, or launching of new products or services. Most experienced IT leaders understand this; hence, it’s hard to justify the effort to vet potential vendors and/or new technology, craft a proposal to justify the need, only to have the Company’s stakeholders look up and say — “Where’s the ROI on this investment?”.
Is there a Tangible ROI in Cybersecurity?
It’s true; there isn’t a tangible ROI that can be easily calculated. How to put a return on recovering from a fictitious – “it can’t happen to us” data breach scenario. Besides, having anti-virus/malware and a solid backup strategy is enough to protect us from a nasty virus or ransomware attack, right? And in the event there is an incident, the Company probably has done its fiduciary responsibility and secured a cyber insurance policy, in the unlikely event an employee would click on a bad email and allow bad actors access to the network and sensitive data. So, where’s the risk? Insurance will cover the financial burden.
The hard truth is, all IT Leaders know their Companies need better cyber security tools. But most of the time, it’s never part of their budgets, or it’s the first line item that gets trimmed during financial planning. And that is leaving lots and lots of companies exposed to lots and lots of risk.
Here are some statistics to show just some of the exposure Companies are facing:
- 43% of data breaches involved small businesses.
- 24% of data breaches are caused by human error
- 29.6% of companies will experience a data breach in the next two years.
- The United States has the average cost of a data breach at $8.19 million
- The average size of a data breach is 25,575 records
- The average time to identify a security breach is 279 days
- 780,000 records are lost to hacking each day
So really, the conversation around cybersecurity is a risk management issue.
Can your company accept the risk of no liability or workers comp insurance?
A cyber insurance professional put it in these terms to me — “Just because you have Workers Comp insurance doesn’t mean you stop putting down salt on icy steps and sidewalks.” The same could be said for investing in cybersecurity solutions. Just because you have a cyber policy or some cyber security tools in place doesn’t mean you stop investing in new tools to lower your risk of a cyber attack.
What’s Next?
Our mission at Black Bottle IT is to help companies prepare, respond and remediate cyber incidents. We advise clients to invest in cybersecurity tools and services, and there is NO ROI. Still, your risk exposure will significantly be reduced, allowing the Company and its employees to continue serving their customers to the best of their ability.
About the Author:
This blog was written by John Hensberger, Managing Partner of Black Bottle IT. Earlier in his career, John was also part of a company that experienced a cybersecurity breach. That experience fueled his passion for assisting other companies with their cybersecurity needs to mitigate their risk. As a Technology Executive and Cybersecurity Advisor, John was recognized as the Pittsburgh CIO of the Year, 2014. Connect with John here.