Can you spend your way out of a cyber security crisis?
5/12/22, 8:30 am
Cyber Security Portfolio Manager at NEC Australia, Connell Perera, asks if throwing money at cyber security is the answer after a breach
We are all at risk of an attack. It’s that simple.
Cybercrime reports to the Australian Cyber Security Centre (ACSC) rose 13% to over 76,000 in 2021-22 – a report every 7 minutes. And that's the small fry compared with recent high-profile breaches. In 2021, 45% of Australian organisations were hit by ransomware. In 2022 it’s 80%.
Australian consumers are worried about their data. And that keeps CISOs up at night. We’ve been revealed as an easier target – relatively immature in managing cyber breaches and only in 2022 upping security spend to 12% of Australian technology budgets from 6% in 2021.
The Australian Government has signalled ransomware reforms may be on the way to stop companies from paying ransoms to escape the consequences of their breach. No more buying your way out of trouble under the ransomware business model.
We are under attack. But upping budgets without focus or paying ransoms will not get you out of a cyber security crisis.
Can you spend your way out of a cyber crisis?
Cybercrime cost Australia $33B in 2020-21, with the average data breach cost at $3.35M. This alone is not necessarily enough to loosen enterprise purse strings.
Instead of tallying direct costs – or rolling out the old-school scare tactics – cyber security strategy and investment is best determined using the same risk, reward and ROI principles as any critical business decision.
Depending on the scale of the breach, impacts unrelated to data can include class actions, customer churn, and share price declines. It’s a slippery slope to long-term hits to brand, reputation, and growth. The potential of these non-data impacts to affect the bottom line demands that security is a conversation about ROI as much as any other business spend.
You can throw money at PR and restoring public confidence. But when it comes to data security, there is no replacement for doing the work to assess, engage and manage your security risk profile.
New perspectives on security spend and ROI
Contrary to current business sentiment around security, high-profile breaches present an opportunity to shift how we talk about cyber security investment.
For some businesses, it's tempting to throw money at security and batten down the hatches, but it's important to consider the entire business balance sheet.
Smart spending is less about reaching a perfect level of security than determining what you need to invest to maintain an acceptable level of risk for your business.
How far can you push your budget and risk? What can you get away with? It may not be the question you expect from a security provider, but it's all about the right spend for you. That doesn’t mean cutting corners, skirting the edges of compliance, or rolling the dice on data security – it means a clear security strategy that aligns with your risk profile and strategic goals.
Understanding your acceptable level of cyber risk
Sophisticated global actors, uptake of SaaS products, and increasingly distributed workforces means businesses must now accept a certain level of risk to maintain productivity whilst enabling flexible work options.
What risk is acceptable to your business is constantly changing based on the threat landscape, the emerging and existing compliance requirements, and most importantly how you effectively govern your risk.
You need to know your acceptable level of cyber risk to plan your security protection profile and focus your limited security spend.
Your biggest spend
It stands to reason that compliance is your biggest security priority and spend; it’s non-negotiable.
Your compliance can be put at risk by costly manual processes, using tools that don’t have effective reporting to address audit requirements, and a lack of security expertise.
Change is coming in 2023. The Australian Government is likely to act to protect how its citizens’ data is accessed and secured. This may mean new regulatory burdens and increased scrutiny.
The cost of skills to ensure compliance will continue to rise as Australia adjusts to the new threat environment – figures from AustCyber flag a shortage of 3,000 security staff by 2026.
Championing a new security spend approach
You can’t spend your way out of a cyber security crisis…but you can be prepared to manage your risk and reduce your business impacts.
Understanding your compliance responsibilities and acceptable level of risk – and then spending to match – won’t protect your system from every nefarious scenario. But it will put you in the best possible position to manage a breach when it happens.
It’s time for your business to tune into the broader security conversations we’ve been having for the past decade.