There are many examples of companies and organizations that have had to pay a high price, both financially and in terms of reputation, as a result of a lack of information security. But why aren’t more resources and higher priority given to cyber preparedness?
The Danish shipping company Maersk states that their cyber attack in 2017 cost the company between 200-300 million dollars. Power companies suffer from cyber-caused operational disruptions in several places in the world, including in Ukraine. There are many more examples.
A concept that is increasingly being talked about, along with cybersecurity, is cyber resilience. Cyber-resilience can be understood as the resistance to withstand a possible cyber attack and consists of the technology in combination with the people in the organization as well as the processes you have and, in addition, how well you manage to connect the technical aspects with the business aspects.
But how much energy and money is actually spent on cyber security?
87% have not learned from past mistakes
According to a survey conducted by the Global Economist Intelligence Unit (EIU), most organizations spend no more than 1-2% percent of their revenue on cyber-resilience.
The average spend to fund cyber preparedness is about 1.7% of revenue.
The survey, which was conducted among 450 companies worldwide, also shows a lack of ability to learn from past cyber attacks – only 13% percent of board members feel their organization learns from past cyber security mistakes. Just as few believe that their level is above average compared to competitors when it comes to learning from a cyber attack. In addition, only 15% of companies indicate that they spend the right amount on this proactive part of cyber security in the form of “cyber-resilience”.
An overconfidence in technology
The latest technology and the most competent IT department are not sufficient defenses against cyber-related threats. The ambition to value cyber security high on the agenda must be with management and the board.
Today’s cyber capability extends beyond the technical solutions – if there is no will to prioritize security awareness internally, investment in products can unfortunately be wasted.
An unreasonable attitude towards one’s own ability
Parallel to this, we see in the Swedish market that 90% of companies believe they have better cyber security than their competitors. More than a third even state that they are leader in cyber security.
Why is it that we think we know cyber security? Is it naivety behind it? Perhaps there is a basic psychological attitude that means that what hasn’t happened won’t happen, that is, some kind of “it’s been going well so far” mentality.
But reality shows that cyber crimes are increasing and to the average time to even discover that one is under attack is 191 days. In other words, it means that you can make a decision not to prioritize cyber security while one or more breaches are actually taking place.
All too few companies have sufficient priority in the area of cyber security. Only a quarter of the companies have appointed someone to the board who is responsible for the organization’s cyber security. 43% do not have any insurance against cyber threats, despite an average hacker attack is estimated to cost around SEK 30 million.
Belief in the future
It’s time to take security seriously to avoid high risks and costs that could end up costing you far more than investing in building a security-aware organization. Today, business is a direct target for many cyber attacks, and businesses that depend on IT systems for operation, monitoring and control are particularly vulnerable.
Information worthy of protection needs to be identified and new processes to eliminate the risk of information leakage need to be ensured.
If you are transparent and manage your information security properly, you have every opportunity to stand out and prove yourself competitive in many contexts, such as in recruitment, new business collaborations and to get customers to start or continue using your digital services. It’s time to take cyber security seriously!