It’s no secret cyberattacks pose a significant business threat, and whenever a large corporation makes the nightly news for getting hacked, business leaders may be tempted to rush out to invest in the most expensive, top-of-the-line protection to ensure their organization isn’t next.
While understandable, this type of reactive, misguided approach can actually do more harm than good in the long run. Decision-makers need to strike a balance when it comes to spending on cybersecurity technology in a way that still enables corporate growth without leaving the organization overly vulnerable to an attack. Invest too little, and there could be gaps in your cyber defenses. Invest too much, and there could be a false sense of security.
So how do you determine the optimal investment for your organization?
Risk factors that impact cybersecurity spending
There are a number of factors that can impact the optimal cybersecurity spend for an organization. For instance, is your organization largely offline and free of mobile devices, computers and networks? If so, your risk level for a cyber infiltration is much lower than one whose employees operate remotely on a cloud-based platform. The greater the number of devices an organization utilizes or harbors internally and throughout its employee base, the greater an organization’s risk.
Cybercriminals also tend to target companies in industries ripe with valuable trade secrets and intellectual property that can be exploited at ransom, putting technology companies at a higher risk level than, say, bakeries.
Businesses that store sensitive customer information, like credit card and social security numbers, are also more likely to be targeted. Hospitals, banks, and, as we’ve seen countless times, big-box retailers have access to this type of customer data and information, making organizations in these industries much more likely to be targeted.
Something as simple as the size of your company can also impact your risk level.
The average cost of a security breach is $242 per record. For a small organization with only a thousand records, a breach may cost approximately $242,000. A larger company housing millions of records, well, you can see where this is headed.
Smaller establishments also often lack designated IT personnel to identify, defend, and restore systems. Without assigned personnel to monitor against cyberattacks, it could be days, weeks, or even months before anyone notices a security breach, and by then, the impact could be considerable.
Larger enterprise-level organizations have different problems. The budget exists for dedicated IT and cybersecurity personnel, but such large (and often disparate) operations can create gaps in security, establishing vulnerabilities for knowledgeable hackers to take advantage of.
Neither too small nor too big, a midsized organization should typically have a lower level of risk.
Numbers and sense
It’s important to recognize security breaches are typically costly in the short term and rarely result in recurring expenses. Leaders should approach these investments like they are investing in an insurance policy for their organization.
Like purchasing insurance, you must weigh expected losses and account for a potential breach’s impact over time. By doing this, you can determine the right amount to spend on cybersecurity. Instead of allocating funds to cybersecurity based on fear and worst-case scenarios — which might not come to fruition — an assessment of the potential risk and determined actual value of the proposed security solutions needs to be completed.
But even if an organization meets the criteria above to put them at a higher risk for cyberattacks, it just doesn’t make good business sense to spend more on cybersecurity than what the organization is worth. By looking at cybersecurity like an insurance problem, decision-makers can better identify an optimal spend.
For example, let’s consider a company worth $20 million. The direct and hidden cost of a cyberattack is $2 million, dropping the valuation to $18 million, and let’s assume the company has a 50% chance of getting hacked to keep things simple.
The last measure unaccounted for is the organization’s expected utility, given it has a 50% chance of facing an attack. Since every organization values its utility differently, a fair assessment would be the square root of the organization’s worth – resulting in an expected utility of a little more than $4,000 in this case.
To determine how much an organization is worth with cybersecurity, place the expected utility into the utility function and solve. In this scenario, the organization is worth almost $19 million when accounting for the risk of an attack.
In order to fully determine how much an organization should spend on cybersecurity, subtract the original worth from the worth with cybersecurity, which computes to a little over $1 million. This is the maximum value the organization should pay on all cybersecurity-related costs, including software investments, personnel time, maintenance, etc. If we consider a three times revenue model, the organization should not spend more than 15% of its revenue on cybersecurity-related costs.
Keep in mind organizations with lower levels of risk will see dramatic reductions in their ideal spending. If we use the same thought process above but assert only a 20% or 10% likelihood of a cyberattack occurring, the organization should not spend more than approximately $400,000 or $200,000 respectively.
Making smart decisions
While there may not be a single foolproof, one-size-fits-all solution to preventing cyberattacks, some level of protection is better than none. Savvy business leaders will recognize the need to balance this investment against their business goals, mission and values to optimize their spending in a way that just makes smart business sense.