There are many examples of companies and organisations that have paid a high price for a lack of information security, both financially and in terms of their reputation. But why aren’t more resources and a higher priority given to preparing for cyberattacks?
The Danish shipping company Maersk says that the cyberattack against them in 2017 cost the company between 200–300 million dollars. Utility companies are suffering from cyber-related malfunctions in several places around the world, for example in Ukraine. There are many more examples.
The term often mentioned alongside cybersecurity is cyber-resilience. Cyber-resilience is the resistance to a possible cyberattack and consists of technology combined with people and processes in the organisation and how well you manage to connect these technical aspects with your business aspects.
But how much energy and money are really put into cybersecurity?
87 % haven’t learned from previous mistakes
According to a survey by the Global Economist Intelligence Unit (EIU), most organisations invest less than 1-2% percent of their revenues in cyber-resilience.
The average cost of financing cyber-resilience is approximately 1.7% of the revenue.
The survey, conducted among 450 companies worldwide, shows a lack of ability to learn from previous cyberattacks - only 13% of board members feel that their organisation has learned from past mistakes in cybersecurity. Likewise, few people say that their level is above average compared to competitors when drawing lessons from a cyberattack. Only 15% of companies indicate that they spend enough on the proactive part of cybersecurity in cyber-resilience.
Too much faith in technology
The latest technology and the most skilled IT department are not enough to defend against cyber-related threats. The management and board must have an ambition to put cybersecurity high on the agenda.
Today’s cybercapacity extends beyond technical solutions - if there is no willingness to prioritise security awareness internally, investing in products is a waste of time.
Too much faith in their own ability
When we look at the Swedish market we see that 90 % of companies consider themselves to have better cybersecurity compared to their competitors. More than a third even state that they are leaders in cybersecurity.
So how is it that we believe we know all about cybersecurity? Are we just being naïve? Perhaps there is a psychological idea that what hasn’t happened won’t happen. A kind of “It’s been OK so far” mentality.
But in reality, cybercrime is increasing and the average time it takes to discover that you are under attack is 191 days. This means that you can make the decision not to prioritise cybersecurity while an attacks is actually taking place.
Too few companies have sufficient priority in cybersecurity. Only a quarter of companies have appointed someone in the board to be responsible for the organisation's cybersecurity. 43 % do not have any insurance against cyber threats, although a hacker attack is estimated to cost about 30 million SEK.
Belief in the future
It's time to take security seriously to avoid high risks and costs that could be much more than investing in building a security-conscious organisation. Businesses today are direct targets for many cyberattacks and companies that depend on IT systems for operation, monitoring and governance are particularly vulnerable.
Information that needs to be protected should be identified and new processes introduced to eliminate the risk of information leakage.
If you are transparent and take proper care of information security, you have every opportunity to show yourself as being competitive in many contexts, such as recruitment, new business partnerships and to encourage customers to start or continue using your digital services. It's time to take cybersecurity seriously.