Security solutions have a cost in terms of dollars, system performance and usability. This blog post considers the trade-offs and striking the right balance.
What Are the Hidden Costs of Cyber Security?
Cyber security is not free. Being cyber secure requires technology that will have to be periodically upgraded, expertise and management. All of that costs money.
There are some financial advisors who suggest that adopting anything other than the bare minimum of cyber security measures might not be financially justifiable. Cyber security experts disagree entirely, but from a purely financial standpoint, any advice on how to curb expenditures is going to seem attractive to some—at least at first.
The bare-bones security argument starts by citing the estimated cost to a company of a successful cyber attack. In 2023, that figure ranged from $3 million to $5 million per attack, depending in part on the size of the company, according to several organizations that conduct cybercrime surveys.
The second half of the argument balances those costs against the costs of cyber security. Security requirements will vary from one business to the next, but a common rule-of-thumb for spending on cyber security suggests that companies designate roughly 10 percent of their information technology (IT) budgets for the purpose. The resulting figure will be in the millions of dollars for large enterprises and might get that high for some medium-sized businesses as well.
Those who advise spending the absolute minimum on cyber security posit that it is cheaper to sustain the economic damages associated with a successful attack than it would be to pay for adopting and maintaining preventative cyber security measures.
It is easy to understand why this argument is attractive. At first glance it looks like saving money. The odds that it will not save money are overwhelming, however.
We know that high-value targets, such as data centers and financial institutions, are under relentless attack. IBM conducts an annual cyber security survey of large, mid-size and small companies representing a variety of industry segments. In its 2022 report, it found that 83 percent of all respondents have experienced more than one data breach. Any company that bases its cyber security strategy on the likelihood of being successfully hacked only once is making a bad bet.
Furthermore, most people suggesting bare-bones cyber security are considering only the obvious frontline losses—the $3 million to $5 million—which could include a ransomware payment, or the value of lost intellectual property, or the legal costs of making whole any customers affected by the cyber attack.
But that’s not the end of the costs of a successful cyber attack. There are also:
The costs of shoring up security afterwards anyway
Rising insurance rates
Brand and reputational damage
Disqualification from competing for contracts
The impact of losing business and reputation can significantly impact the overall value of the business.
Any company that has been breached will certainly feel compelled to finally invest in better cyber security, if not to fend off the almost inevitable next attack, then to continue to qualify for insurance—and even then, the rates are certain to go up.
Meanwhile, there is a growing list of data privacy and security laws and regulations being enacted around the world that allow various jurisdictions to impose significant fines for data breaches.
One of the most thorough examples is the European Union’s General Data Protection Regulation (GDPR). The EU has assessed multiple fines in the hundreds of millions of dollars for GDPR violations; the largest so far is a $758 million judgement in 2021 against Amazon (the company is contesting it). The Cyberspace Administration of China more recently levied a fine worth over $1 billion on Didi Global for a breach. Public tolerance for breaches is waning.
To put a fine point on it, cyber security lapses can attract fines that far outweigh whatever any company might try to save by implementing insufficient cyber security.
Meanwhile, organizations that value cyber security are increasingly less willing to do business with companies that do not implement adequate precautions. The IBM survey cited earlier revealed that one out of every five (19 percent) breaches occurred through a business partner that had been compromised. Sufficient cyber security is now a non-negotiable part of an increasing number of vendor contracts. Any company that lacks sufficient cyber security can be cutting itself off from some potential business.
Some resistance to cyber security is not financial in nature. Depending on the measures adopted and how they’re implemented, cyber security can also represent a penalty on overall enterprise performance.
That can even include business processes. Take device provisioning and management on the network as an example. IT departments all over the world struggle with ensuring only authorized devices access their networks and ensuring that they can track and locate company assets. This process is rooted in the provisioning of keys and key management post deployment which can be particularly burdensome. It takes time and resources to provision devices on the network, locate them in a mobile environment and maintain them after they are deployed.
Another concern is that some security measures have a direct impact on computing processes. Inspecting every single packet being transmitted, for example, would make data maximally secure, but it would also slow the computing process, adding more latency than most organizations would find tolerable.
Encrypting data is standard operating procedure for any security-conscious organization, but encryption can also add processing overhead that slows operations. Security experts at Microchip and elsewhere in the industry are in constant consultation with each other about using encryption keys that are long enough (and therefore strong enough) to resist most hacking attempts, but not so long as to constitute an unacceptable impediment to operations.
So what is the right amount of cyber security to implement?
There is no one-size-fits-all recipe for cyber security. Security requirements for data centers will differ from the requirements for medical operations, which must conform to exceptionally high standards for the security of patient data established by the 1996 Health Insurance Portability and Accountability Act (HIPAA). Different companies will need to evaluate which processes and procedures are most suitable for their particular needs. Similarly, each organization will have to assess whether to hire security experts, or hire security consultants, or have some mix of the two.
Microchip can help answer the question of how much cyber security constitutes enough for any of our partners. We have industry-leading expertise in cyber security, a comprehensive security portfolio and a world-class Security Partner Program. We can offer authentication devices, trusted platform modules, crypto-enabled microcontrollers and microprocessors, software libraries and enhanced protocols and even timing servers that are part of the foundation of zero-trust networks.
Yes, cyber security can be costly. But lacking sufficient cyber security can end up being far more expensive, in ways that go beyond a company’s bottom line. The question should not be whether to pay. The question is how much is sufficient? A trusted partner with extensive expertise in the area such as Microchip will be able to help arrive at an answer that will provide sufficient security considering the risks and resources at hand.
Our CryptoAuthentication™ devices offer hardware-based secure storage to effectively keep secret keys hidden from unauthorized users. These small, very-low-power devices work with any microcontroller (MCU) or microprocessor (MPU) to provide flexible solutions for securing Internet of Things (IoT) nodes used in home automation, medical devices, wearables and many other applications. CryptoAuthLib, a software support library, is a component of any application or device driver that requires crypto services from CryptoAuthentication devices.
More than one-third of the companies responding in one 2022 survey (35 percent) were motivated to spend money on cybersecurity in response to a security incident they experienced. The inference is that they did not invest in adequate cyber security until after it was too late. Source: IDG Communications Inc.
Kyle Gaede, Sep 28, 2023
Tags/Keywords: Security, Computing and Data Center