“Why is cybersecurity so hard?” I’ve heard that question a thousand times and I saw it recently again in an online forum on LinkedIn. I’d like to offer a partial answer this week.
A large part of the issue is visibility: it is hard to see a cyberthreat. We can see (or at least imagine) burglars, thieves, and other physical threats. It’s hard for most of us – and probably most high-level managers – to envision cyberthieves. When you see that word, what do you think of? A kid in his basement trying to steal credit card numbers? A group of cyberwarriers in a large cubicle farm working for a government or a criminal organization? Or maybe you see one of your own employees or coworkers up late at night…
Cyberthreats may be hard to imagine, but they’re real nonetheless. A security breach can be expensive. The 2013 Cost of Data Breach Study: Global Analysis revealed that the average cost of a data breach among those surveyed was USD5.5 Million. That’s a lot of money by any standard.
I’ve written briefly before about the need for organizations to make their people aware of threats and countermeasures. I believe that Learning Tree Course 468, System and Network Security is a good starting point. But there is more to do: management folks need to be convinced of the need to spend money of risk analysis, mitigation, and other parts of cybersecurity including awareness training. Part of the issue is that these expenses tend to be for non-tangibles. Managers can’t see patch management tools, antivirus software, intrusion detection software, and so forth. Locks, cameras and guards are easier to see and therefore perhaps easier to justify spending on.
So how do we convince those who control the purse strings that cybersecurity is worth spending a bit of the limited budget on? Well, first management-types need to attend the awareness class, too. Learning Tree manes that easier with our new Learning Tree AnyWare system. People can take classes from the comfort of their home or office or from one of the growing number of AnyWare centers around the country. I’ve taken classes that way and I find it a pleasing and easy alternative to classroom attendance.
Managers need more information, though. In order to spend money on cybersecurity, we have to show ROI (Return On Investment) – that is, we have to show that money spent on cybersecurity is valuable. One way to do that is by showing the costs of breaches. I mentioned one such number above. There are numerous other surveys and studies showing the cost of breaches, laptop theft (USD 50,000), and so forth.
I’d like you to share your favorite (reasonably recent – last six years or so) cybersecurity breach cost estimates or analyses (with sources) in the comments below. If you don’t have a collection, start one! Consider it your assignment for the week to find at least two studies of the costs of cybercrime and post the info below.