Where’s the Money? Tips for Increasing Your 2018 Data Breach Prevention Budget
In January of this year, the U.S. Department of Homeland Security reported that 247,167 of its employees had their data compromised. On the same day, the Indian company Aadhaar reported that its immense, one billion person database had been compromised as well. It’s a bad start to what’s certain to be a worse year in terms of data security. If you want to keep your organization’s data safe, you are going to need to invest in additional training and personnel, as well as more advanced data breach prevention solutions. Getting buy-in from the rest of management, however, can be tricky. In order to make this easier, we have collected some pretty eye-opening statistics, along with a few tips for increasing your data security budget.
2018 by the Numbers
According to the Ponemon Institute, the average cost of a data breach in 2017 was $3.62 million – and that number will most likely go up in 2018. From 2013 to 2016, the average cost of a data breach rose by 23%. These costs included IT investments, forensic experts, legal teams, customer churn, and other direct and indirect expenses. Cybersecurity spending is expected to exceed $1 trillion by 2021, which is not surprising given that cybercrime damages are expected to exceed $6 trillion annually in the same year. All of this paints a picture of a threat that is accelerating.
Increasing Your Data Breach Prevention Budget
Here I’d like to offer five specific tips for ensuring you have adequate budget in 2018 for keeping your enterprise safe from malware-based and other attacks.
Tip #1 – Start With a Risk Assessment
First and foremost, complete a risk assessment. For a single upfront fee, you can acquire a comprehensive assessment, which can form the foundation of your department’s spending. A risk assessment not only will highlight areas in which your organization is falling short in light of today’s threats, but also will provide important recommendations backed by expertise. These assessments also can be used to streamline your existing solutions, to reduce or reallocate your existing budget.
When creating a risk assessment, you need to:
- Summarize your systems and their processes. How is data acquired and stored? How is it analyzed and accessed? Which third parties are involved and which vendors have provided the systems?
- Identify potential threats. These can include insider attacks, service disruptions, force of nature, and social engineering. But perhaps the largest of these is advanced malware-based attacks, given the sophistication and relentlessness of the attacks.
- Analyze your risk. Consider the risks to your system theoretically, in the sense that a model system as described would have these risks. Don’t yet consider your system as a whole, but instead focus on it conceptually.
- Assess your control management. What controls are in place to ensure that your system operates as it is designed to operate, like the conceptual model would? Identify these controls and their weaknesses.
- Calculate the likelihood of a potential risk manifesting itself. You don’t need a percentage; but consider the general likelihood of an attack or disruption based on what you know about the threats, your system, and your controls.
- Find your risk rating. Your risk rating is the impact of a particular breach multiplied by the likelihood that there could be a breach. In other words, if the impact would be highly damaging and it’s very likely, then your risk rating is very high.
This type of risk assessment is done in general terms, to find out whether your risk assessment is very high, high, moderate, low, or very low. From there, you can move on to the specifics, including estimating the cost of shoring up areas of identified weakness, using your assessment as evidence of the need. You can also acquire a more comprehensive third-party assessment, which will give you details on your areas of improvement.
Tip #2 – Treat Cybersecurity as a Matter of Profitability
Cybersecurity can be a difficult sell because it may not appear to be immediately profitable. But it’s important that the C-suite be sold on data breach protection as a matter of maintaining or increasing their profitability. Without an appropriate investment in cybersecurity, a business could stand to lose a significant amount of money, in terms of expenses and lost revenue.
Without an investment in cybersecurity, businesses can experience increased customer churn, regulatory fines, penalties for non-compliance, and a tarnished brand identity. This is apart from all of the direct costs associated with a cybersecurity breach, such as: recovering lost data, repairing broken systems, notifying customers and employees, and paying for related liability.
Tip #3 – Make a Case For Smarter Spending
Sometimes it’s not enough to increase your security spending; you also need to improve upon it. Sadly, when they secure a bigger data security budget, many organizations invest in outdated solutions that don’t actually work.
When planning your 2018 budget, isolate areas in which spending can be cut, or where budgets can be reallocated. Sunsetting older, less secure technologies, and investing in newer solutions is an excellent way to reduce your costs while getting more “bang for your buck.”
Many older systems simply aren’t capable of rising to the challenges of modern threats, malware, and attacks. This is extremely relevant in terms of security, where exploits and malicious programs change day by day (see our recent blog post on polymorphic malware that automatically changes every few minutes.)
Tip #4 – Show the Value of Automation
Automated solutions can greatly reduce administrative costs by improving the efficiency of people and processes. Systems with machine learning are able to analyze networks for potential optimization and security protection, which can reduce the budget needed for security analysts. Not only can it be very difficult to find experts in data breach prevention, but they can be extremely costly when found.
Solutions such as Lastline’s Breach Defender use artificial intelligence (AI) and machine learning to monitor network activity, correlate it to know malware behaviors, and identify threats, thus freeing up an analyst’s time for the truly high-risk activity while dramatically decreasing the risk of a data breach. Analysts and IT professionals, as a result, can allocate time to other projects, such as revenue generating activities and new innovative improvements.
Tip #5 – Discuss Security as a Point-of-Difference
Security must be seen not only as a proactive necessity but also a competitive advantage. By investing in the best possible security, organizations are able to win deals that they might otherwise lose. Organizations across the world are becoming more security conscious, and are consequently often more willing to work with vendors and suppliers that can show that their security is proven effective.
This is especially true in industries where personally identifiable information is exposed. Organizations like healthcare providers, banking institutions, and retail businesses have a lot to lose if they experience a data breach, and therefore need to take extra steps in order to protect themselves (like investing in advanced malware detection solutions). But they also have a lot to gain when a competitor is breached. Customers are quick to seek new options when their provider of choice suffers a breach. So, having an effective security strategy provides you with a great opportunity to pick up those new customers. By conducting a risk assessment and investing appropriately in security, your organization can create an edge. The more competitive your market is, the more effective this will be.
2018 isn’t just about spending more; it’s also about spending smarter. As each day passes, more sophisticated, evasive malicious programs are developed and unleashed. But data breach prevention can be achieved through intelligent spending. By understanding threats, reducing waste, focusing on new security initiatives, and automating where possible, you can both identify and mitigate your organization’s security risks.
Latest posts by Bert Rankin (see all)
- How Malware Works – Malicious Strategies and Tactics - May 10, 2018
- RSAC 2018 — Key Takeaways — Echoes of Optimism - April 27, 2018
- RSA Hot Topic — IoT Security and Managing Unknown Devices - April 18, 2018