This is no time to retreat in cybersecurity
We've all seen the news, if not experienced it directly: Layoffs. Budget cuts. Fiscal conservatism. In the "new normal" (albeit a temporary one) of high-interest rates and stubborn inflation, preparing for the worst is the responsible thing to do.
But put those facts in the context of the current threat landscape, as evidenced by all the recent high-profile hacks and incidents, and the action items are not what they seem. If there is any single investment area that should be exempt from that policy, it's cybersecurity–because, in that case, preparing for the worst by cutting budgets can be a self-fulfilling prophecy. In fact, there is plenty of evidence that companies already spend too little on cybersecurity and that cutting or even maintaining cybersecurity budgets in 2023 is going against the grain of industry peers. If the Australian Government's newly suggested approach to cybersecurity control comes to pass, it will require significantly increased funding.
Short-Term Pain, Long-Term Damage
There's an old proverb in cybersecurity: "It takes 20 years to build a reputation, and a few minutes of a cyber incident to ruin it." You don't need to look much into the recent past to see companies like Medibank and Optus probably wishing they had done it differently.
We can probably all agree that we're living through the worst Cybersecurity Crisis in history with respect to the threat environment: Gartner predicts that by 2025, nearly half of all software supply chains will suffer an attack, a 3x increase from 2021. Even worse, the talent needed to address it is as scarce as ever.
The short-term cost of a breach is well understood: The average cost of one was USD $4.35 million last year, and the global cost of cybercrime is estimated to hit $10.5 trillion annually by 2025. But the costs only start there. Outside the immediate tactical fixes and uplift and remediation costs associated with patching the root cause of a breach, also consider the ones with a longer tail:
- Long-term brand damage: Don't discount the long-term and accelerating impact of a breach on brand and reputation as measured by stock price. A 2021 study of 34 public companies that had suffered a breach found that one year later, their share prices had underperformed NASDAQ by -8.6%. After two years, they underperformed by -11.9%. And after three years, the figure was -15.6%.
- Regulatory fines: Fines can be extremely expensive. As a result of its 2019 breach, Equifax agreed to pay at least USD$575 million in fines as part of a settlement. T-Mobile collectively paid USD$350 million as part of a settlement following a 2021 breach. The list goes on.
- Legal fees: The cost of defending or settling lawsuits is hard to quantify because that information is often private, but anyone who has ever hired a lawyer can do the maths there. The Medibank class action for its privacy breach could end up costing it hundreds of millions of dollars.
- Insurance impact: The average cost of cybersecurity insurance rose 79% in Q2 2022 after more than doubling during each of the previous two quarters. A breach can lead to an even more expensive premium at best and outright cancellation at worst.
Reject Unacceptable Risk
In summary, the cost of cutting investments in cybersecurity is not only risky in the short term but in the long term, as well. And given the current threat and fiscal environments, that hardly seems like a risk worth taking.