Information security is about protecting your information. But what can happen if you do not protect it enough? In this blog post, we will explain the consequences of inadequate information security.
What is information security?
Information security is above all about preventing information from being leaked, distorted and destroyed. It is also about having the right information available to the right people, and at the right time. Information should not fall into the wrong hands and be misused. Information security applies to both individuals and organisations, both in business and in public activities. Information security therefore covers the whole of society.
What can a lack of information security lead to?
Lack of information security can have consequences in the form of the business not being able to be conducted in an appropriate and efficient manner, lack of protection of personal integrity and disruptions in socially important activities.
Deficiencies in information systems can also affect:
- Physical assets
- Fatal damage to the critical infrastructure
- Incidents that lead to the inability or destruction of such systems and assets can lead to serious crises affecting the financial systems
- Public health
- National security
It can also lead to a deterioration in confidence in services and underlying actors. Serious and repeated disruptions can lead to crises of confidence, which can also spread to more actors and services as well as to other sectors.
Costs of not having sufficient information security
First of all, having sufficient information security can protect you from ransomware, data leakage, data manipulation and so on. There are plenty of examples just during the past year where companies have been struck by attacks that have caused large costs. An attack can become very expensive, for example you can lose money due to:
- Downtime affecting your operations
- Lost revenues
- Restoring and cleaning up systems
- Lost trust/goodwill
An average cyberattack in 2022 could cost around USD 4.35 million. So, protecting yourself against this is more than important. It is vital.
Many might think “We have our firewall, what else can we do?”. But, if you have information or systems that are crucial to your organisation, perhaps your whole operation depends on it, you may find it appropriate to mitigate your risks and invest in a high security solution. Many networks require extra protection against manipulation and data leakage as they contain classified or sensitive information. If these networks/systems are exposed to an attack, a firewall will probably not protect you from having to spend a lot to recover.
Security laws that demand you to work with information security
In addition, there are several laws and regulations that require that you have sufficient protection of sensitive information and systems – for example the NIS Directive. In Sweden, another law that can affect how you must protect your sensitive information is the Protective Security Act. If you have not practised due care in your own organisation, or on your outsourcing partners, you can receive a penalty fee of up to 50 million SEK. Quite an expense for not complying. A recent example of having to pay a fine is region Uppsala, who sent sensitive personal details unencrypted to recipients abroad. This cost them 2 million SEK.
Calculating what to spend on information security
Cyber Risk Quantification (CRQ)
Since cyberattacks are increasing, there is an increasing need for cyber risks to be measured and reported in financial terms. Business leaders want to know more about the risks that they face and what the costs could be. To do a Cyber Risk Quantification (CRQ) means to prioritise risks according to their potential for financial loss, thus allowing responsible people in a company to create budgets based on mitigation strategies that afford the best protection and return on investment.
In a CRQ, you look at the economic impact of cyber risk on your business, but also on more intangible yet fundamental areas like customer satisfaction, employee engagement, reputation management, brand protection or supply chain management. All these are risks that may cost you money in the end. The risk cost is the probability of a certain consequence times the cost that consequence has. So, for a consequence that would cost the company or organisation 1 MSEK and has a probability of once every ten years, the risk cost is 100 000 SEK/year. The protection for this particular risk should then not be more than that amount.