Selling Management on The Real Cost of Cyber Security

It is a struggle most IT professionals can relate to: management wants the latest shiny object and expects to offset this investment and save a few dollars in the short term by cutting other aspects of their technology. If you are, or have been, a Chief Information Security Officer (CISO), the savings and scramble roller coaster is an all too common story.

It’s hard to sell corporate management on ongoing security costs if it means cutting out shiny new toys like bigger monitors and faster computers with tremendous capabilities. Repetitive monthly or annual costs can be a tough line item at the best of times, and they often make for an easy head to chop when it’s time to hunt for corporate savings. But the reality is, this type of "saving" on security will end up costing the organization MORE in a number of ways: time, money, resources, and clients.

Cyber security breaches are so common across different industries and organization sizes that they must no longer be considered an unlikely prospect but rather a predictable outcome. Consider this sobering statement in an article from Cybercrime Magazine, “If it were measured as a country, then cybercrime – which is predicted to inflict damages totaling $6 trillion USD globally in 2021 – would be the world’s third-largest economy after the U.S. and China.”

Despite the very real threat, all too often IT in corporate America finds itself begging for security program support and dollars. How then can we convince management to stop being enamored with desktop toys and appearances and apply dollars where they are truly needed? We can start with these imperative questions:

• What protection against hackers is in place to protect vital business data? 
• What plan do we have in place should the on-site server fail (hacked)? How will we restore operations?
• What protection against phishing attempts is there for employees?
• What protection do we have in place to protect our client and customer data?

The reality is, skimping on technology and IT solutions means there will be nothing standing between a business's sensitive data and those determined people who excel at taking advantage of that data. What will your company do if the answer to the above questions is that there isn’t a plan in place?

When it comes to investing in IT, here are three things you never want to "save" on:

Security. 

Despite the onslaught of stories about IT security issues on the rise in the media, many businesses, from small to large, continue to underinvest in IT security. These businesses continue to fall into the dangerous mindset that "This won’t happen to us.” That fantasy is becoming less believable every day. 

 A data breach can be devastating to a business. Not only is data compromised and potentially copied or stolen, but your clients will also immediately question whether or not they should trust you. Depending on the seriousness of the breach, they end up taking their business elsewhere or worse bringing legal action.

When organizations invest in the cheapest IT security option available, it's like hanging out a welcome sign for hackers. A significant number of bots (robots) inhabit the internet looking for security holes.

These bots work tirelessly to test websites, mail systems, and networks, always looking for a way to penetrate a system. If they discover a weakness, an opening, they can do some serious damage. When you invest in strong IT security and an experienced team of IT specialists you can lower the risk of damage to your systems. Importantly, and in addition to protecting your business assets, you also are protecting your clients.

Backups. 

Many small to medium-sized businesses still keep all of their data on-site with no backups. Everything is stored, and accessed, in one central location keeping everything neat, tidy, and simple. Unfortunately, this creates an environment ripe for a disaster should they be hacked. A disaster is waiting to occur if a hard disk or server fails.

Should this be the case, they immediately find they are unable to access client information, invoices, phone numbers, purchase orders, and more. Having a backup off-site or in the cloud is essential because all transactions and documents, contracts, etc. have another layer of protection. While a backup provides the ability to restore data should the worst-case scenario occur, it is important to note that test restores are an integral part of a backup system.

Some organizations go a step further and have a backup for the backup (often both an on-site solution and a cloud-based solution).  Remember, if you invest in a backup system or service, make the best use out of it. First, the system must be installed and set up. Then, testing should be done to ensure that the backup system is correctly configured. A backup system that isn’t correctly configured may not back up data as was intended - or is backing up data too infrequently to be useful.

Updates. 

In the 1980’s my company purchased an Apple 2 as an experiment to see if it could be useful to the business. Technology has certainly changed since then and I’ve purchased many computers since to keep up with the times. Which brings me to an important question: how old is your technology? The correct answer includes both the hardware and software on which you conduct your business. Technology withers over time as new technology grows into place (think about running your business on that Apple 2!). The exact timeframe for updating hardware and software will never be a one-size-fits-all, but if you fall too far behind, companies who provided the components of your system may no longer support your hardware or software.

If it is the case that developers are no longer publishing updates or supporting the software, a huge security red flag has just been hoisted letting you know that you need to update your system. If you persist with the unsupported software, know that if a problem arises, there might be no one to call at the company that developed the software. 

The potential headaches don't end there. If you're trying to run brand-new software on old hardware, it’s quite likely there will be compatibility issues. If the software works at all it might not work in the manner it was expected to perform. All of this should be avoided by updating old hardware.

Running unsupported software on new hardware may also void the warranty of that hardware. So that’s why it is important to always check the warranties and the fine print of any hardware purchases.

Most companies find little joy in investing in good IT security, cloud backup storage, or new hardware. But the age-old adage “pay me now or pay me later” will definitely arise if you cut corners and short change your IT and security. When that bill comes, it's going to be much larger than if you had committed to those IT investments in the first place.