The Intersection of Cybersecurity and Financial Management: Protecting the Bottom Line
In today’s fast-paced business environment, a robust IT infrastructure has become a fundamental component of achieving business success. However, keeping pace with technology comes at a price and companies need to budget for it. One of the tricky parts of budgeting for IT is figuring out the return on investment for cybersecurity. It is not always easy to explain to decision-makers why spending on cybersecurity is important, even though there have been plenty of examples of businesses that have suffered financial damage due to a data breach.
Though it may be difficult, it is not impossible. In this article, we discuss the current costs associated with data breaches and provide tips on calculating the ROI of cybersecurity spending. We also cover how businesses with specific compliance requirements can avoid penalties and financial losses. By the end, it will be clear that fostering collaboration between a business’s IT and financial departments is a critical factor in maximizing financial success.
The Cost of a Typical Data Breach
To begin with, no two data breaches are ever the same. The financial damage that results from a data breach depends heavily on the scope of the breach, the nature of the data affected, and how the business responded to the incident. That said, we do know plenty about the frequency of data breaches, as well as some aggregate data about their costs to businesses.
In 2021, there were a total of 1,862 known data breaches. That number represented a significant year-over-year increase of 68% compared to 2020. Worse still, cybersecurity experts believe that the total number of disclosed data breaches represents just a small fraction of the real number of actual incidents occurring that year.
Additionally, it is known that cyberattacks are the main cause of data breaches, as opposed to misconfigurations and accidental data disclosures. In the first quarter of 2022, for example, researchers found that cyberattacks were to blame for a staggering 92% of data breaches. That alone should illustrate the importance of spending on cybersecurity.
We also know quite a bit about what a data breach costs a victimized business. According to research conducted by Ponemon Institute, the average cost of a data breach in 2022 was $4.35 million USD. Additionally, the cost of the major attack vectors were as follows:
- Ransomware attacks resulted in an average of $4.54 million USD in costs
- Phishing attacks resulted in an average of $4.91 million USD in costs
- Breaches resulting from stolen or compromised credentials resulted in $4.5 million USD in costs
Those costs, of course, only represent the direct costs associated with a cyberattack. According to Deloitte, however, those are just the tip of the iceberg. They’ve identified seven additional hidden costs that tend to plague businesses in the wake of a successful cyberattack. Among them are less-obvious things like reputational damage, loss of contract revenue, and insurance premium increases. In other words, the true cost of a cybersecurity incident can be far higher for an affected business than the top line averages would indicate.
Calculating the ROI of Cybersecurity Spending
Even though it is not possible to come up with exact figures to represent the ROI of cybersecurity spending, there are some approaches to the task that tend to work well. One of them is to create an estimate of how many days of disruption would result from a potential cyberattack. This is a useful exercise because calculating direct losses from downtime is simple, no matter the business type. It also results in clear and striking numbers that justify associated cybersecurity spending. In many cases, those potential loss estimates alone are enough to justify the average business’s cybersecurity budget.
Another way to calculate an approximate ROI for cybersecurity spending is to start by collecting data from the business’s firewalls and other defensive hardware. Doing so should provide an estimate of how many intrusion attempts the business’s IT infrastructure faces each year. From that, it is possible to come up with a figure known as Annual Loss Expectancy (ALE).
To calculate ALE, we simply multiply the estimated number of intrusion attempts by the estimated costs of a breach for the specific business. The resulting number tells us approximately how much the business would spend cleaning up after security incidents in a given year if not for its cybersecurity spending.
Finally, businesses that have specific regulatory compliance needs can calculate the costs tied directly to meeting them and take them out of the cybersecurity equation completely. Such costs are mandatory, after all, and should not need more specific budgetary justifications.
Meeting Regulatory Compliance Obligations
It is also worth noting that certain businesses operating here in Canada and abroad have specific regulatory oversight to deal with, depending on their line of business and the data they control. In many cases, meeting those obligations, can represent the lion’s share of a business’s cybersecurity spending.
That is why it is critical for every business to have a firm grasp of its legal responsibilities concerning cybersecurity. To start, it is a good idea for affected businesses to work with a compliance expert that can review their IT operations and look for deficiencies if any exist. In many instances, it is more cost-effective to outsource compliance monitoring or move relevant business data into a third-party cloud or datacenter that is already in compliance with the relevant laws.
Those options are especially useful for businesses that cross national borders, such as firms here in Canada that have customers in the US or Europe. The more parts of the world the business touches, the greater its regulatory obligations are most likely going to be. Removing that complexity from day-to-day cybersecurity operations and leaving it to a specialist makes the overall cybersecurity spending picture easier to explain and easier to digest for decision-makers.
A Holistic Approach to Cybersecurity
By now, it should be clear that the average business has a lot to lose in the event of a cyberattack or data breach. However, they stand a much better chance of avoiding the worst possible outcome when their financial and technology decision-makers get on the same page regarding cybersecurity. Together, they can strike the right balance between IT spending and risk management, saving the business money in the long run.
Outsource IT can be a valuable partner in that process. We offer comprehensive IT consulting solutions, as well as managed IT services which includes IT security solutions to simplify business cybersecurity while helping to keep costs low. Contact an Outsource IT account manager, to get started with charting the course of your business’s cybersecurity and IT infrastructure.