In this short article, we’ll try to uncover the real cost of not investing in IT security.
Each year, countless reports are published attempting to paint a picture of the current security landscape. And each year, we can see how the picture looks worse. This year, IBM published its “Cost of a Data Breach Report 2023”. According to this report, “The average cost of a data breach reached an all-time high in 2023 of USD 4.45 million. This represents a 2.3% increase from the 2022 cost of USD 4.35 million. Taking a long-term view, the average cost has increased 15.3% from USD 3.86 million in the 2020 report”. Clearly, these are some truly eye-watering figures.
The report goes on to state that 51% of organisations plan to increase security investments as a result of a breach.
Like many other similar publications, the IBM report is full of data telling us that things are complicated and are unlikely to get better soon. That’s all useful information, but a lot of this data concerns big businesses and even mega-corporations. It’s not quite so interesting for the average SME.
So, let’s leave the figures to one side and talk about the real cost of not investing in IT security. Let’s look at all the ways that negligence can make us pay.
Here at Jotelulu, we’ve reviewed numerous reports, documents and websites to try and define the key areas affected by a lack of security. The main costs of not investing in security that we have identified are:
- Security and data breaches
- Legal costs
- Reputational damage
- Loss of revenue
- Recovery costs
So, let’s take a look at each one in a bit more detail.
Security and data breaches
We could separate security and data breaches because they’re not necessarily always connected. Some security breaches will pose a risk in other ways, but we’ve combined them here for the sake of brevity.
A security breach is when confidential information is exposed to criminals, who will then either reveal it to the general public or use it to commit fraud. They may also try to sell it to other people. Such information can include patents, designs or customer data.
There are many different forms of attack that can lead to a security breach. These can include data exfiltration and data kidnapping. The protection measures in each case will be different too. To prevent data exfiltration, we have Data Loss Prevention (DLP) measures, but to combat ransomware, the most effective tool is a good backup policy.
Whatever the kind of attack, if a data breach occurs, it is vital that you follow the following three steps:
- Investigate the data breach and its scope
- Notify the relevant authorities about the breach and its scope.
- Notify any customers that could be affected.
NOTE: You should notify the relevant data protection agency as soon as you detect a breach that could affect people’s rights and liberties as soon as possible, preferably within 72 hours.
Legal costs
These days, European legislation constitutes some of the strictest regulations on data protection (such as the GDPR). Other countries have also approved far-reaching legislation. Some of these regulations include tough sanctions, some that could even put a company out of business. If a security breach occurs and data is leaked, companies are expected to immediately inform the relevant data protection agency and any affected users. The resulting fines could be significant and there will likely be some substantial legal costs.
Reputational damage
Data leaks are bad news for everyone, but the impact on your company’s reputation could be devastating. This is particularly true if the media or the attackers manage to leak the news before you put a statement out. The company will be seen as untrustworthy or unreliable, and this could mean that many customers switch to more reliable competitors.
When a security breach occurs, it’s important to manage your communications as effectively as possible. This is why it’s a good idea to have a crisis communications plan in place before such situations arise. This should be put together as part of a collaborative effort between IT, security, senior management, marketing, HR and any other relevant department. Once in place, the plan will then serve as a guide to decide what messages should be communicated, when, by who, etc.
NOTE: After more than 20 years in IT, I firmly believe that the best approach is to have a pre-prepared communications strategy which is then taken care of by communications professionals, such as the marketing department. That way, the IT and systems departments can focus their attention on addressing the issue at hand.
Loss of revenue
In many cases, an attack or security breach can cause operations to grind to a halt. Until the issue is resolved, this could mean that the business is unable to provide any services or gain new customers. Furthermore, with the potential lack of consumer trust, existing customers may leave. All of this will have a hefty impact on your bottom line. And if the issue is not resolved quickly, the company’s very survival could be in jeopardy.
Recovery costs
Getting things back to normal is not always as simple as we might like. It depends on two factors, mainly. Firstly, there is the level of security that the company enjoyed before the breach and secondly, the scope of the breach. For example, if the security breach is fairly limited in scope but there wasn’t much protection to begin with, then obviously, it’s going to be a long uphill battle to implement enough measures for the business to feel secure again.
Continuing with this example, if you don’t have any backups or your backups are poorly configured, even a fairly minor attack could take days to resolve. Even if only one service is affected, it will take ages to restore everything back to normal manually, and of course, there will be permanent data loss.
After all this, it goes without saying that it’s better to be safe than sorry. By investing in security measures and protection now, when the unexpected happens, you’ll at least be well-prepared.
Conclusion
In this article, we’ve looked at the different costs associated with not investing in security. There are many ways that your business can suffer, both financially and operationally. These costs can be as simple as the recovery costs following an attack or as complex as the damage to your reputation.
Clearly, it’s not worth the risk. Invest in proper security measures and backup policies, take time to plan your infrastructure and systems properly, and engage in continuous improvement to ensure that your business remains resilient in the long term.
If you’re interested in reading the full IBM report, you can find it here: Cost of a Data Breach 2023 | IBM.
Thanks for reading!