Cyber crime is often described as an escalating war. If so, it’s a war that the good guys are losing. Cybercrime costs are expected to reach ten trillion dollars by 2025, and it may come much quicker than that. The SolarWinds breach alone is expected to cost organisations around one trillion dollars to remedy. Since then we have had the Microsoft Exchange breach, affecting an estimated 250,000 servers. Both of these are supply chain attacks perpetrated by state actors.
It’s not just the technological impact either. Increasingly, regulation is involved and fines are proportional to group turnover. Class action lawsuits are also now being employed, with potential settlements anticipated to be much greater than the level of fines. Executives and professional advisors are being held personally responsible for failures to adequately prepare for and respond to breaches and brands can be damaged for the long term by adverse media and social media attention.
The bad guys, usually state actors or organised crime, have access to the latest technologies like AI and invent new threats faster than any security team can deal with them. At the same time organisations in search of efficiency improvements and market advantage are introducing new solutions that also increase the opportunities for attackers, what is known as the attack surface. Organisations can spend 80% of their security budget solving 20% of the problem and never feel like they’re getting value for money. We need a new approach to thinking about security in terms of Return on Investment (RoI).
Evaluating RoI in cybersecurity is complex. It involves an evaluation of both risk and potential cost in a rapidly-changing threat and technology landscape. It needs up-to-date information on threats, vulnerabilities and costs, including potential legal costs and cyber insurance cover, in a form that businesses can easily use. It requires independent advice, which is required both by regulations like data privacy law and because lack of independent specialist advice is one of the things that regulators and lawyers focus on when an attack is successful. It must also follow a recognised standards-based approach to cybersecurity risk and cost evaluation to avoid ambiguity and subjective interpretation.
This diagram shows an iterative RoI-based approach to proactive improvement of cybersecurity that would help in any legal defense of a breach.
Starting at the top, vulnerability assessment can be accomplished using readily-available services equipped with the latest threat data, as well as penetration tests. These tools can feed up-to-date information on vulnerabilities into the risk process.
The audit should be carried out independently and answerable to the audit committee. It should assess risks from all perspectives including supply chain and internal risks.
The results should be fed into the RoI analysis tool equipped with the latest information on risks of breaches that are possible with each type of vulnerability and the costs of breaches, to come up with a cost to the organisation for each type of risk rated by the likelihood. This will tell the organisation where it should be focussing its available resources on evolving its security architecture for maximum return on its investment.
Finally, contingency plans must be updated. These must also be regularly tested, preferably with board participation because it will be members of the board that are expected to respond to regulators, shareholders, the media and critical social media comment about any breach. These tests should be conducted with simulations set by independent assessors to ensure independence, and the results fed into the next round of the vulnerability assessment.
This approach will prove that the board is applying proportionate care and attention to the evolving issues of cybersecurity while ensuring the companies resources are best deployed to protect executives, the supply chain, shareholders, customers and the general public.