Many factors determine how much organizations spend on cybersecurity. Some industries, such as healthcare and manufacturing, are favorite targets for cybercriminals and require more robust security. Financial services and payment systems have stringent compliance requirements that can increase cybersecurity spending. Whatever the industry, increasing costs for cybersecurity will continue to rise as long as there's cybercrime.
Size doesn't matter. According to Verizon, 43% of successful breaches occurred at smaller businesses. Whether an enterprise has less than 100 employees or more than 10,000, it is estimated that companies will spend 50% of their IT budget on security by 2020 for a total of over $150 million. Expenditures are expected to grow between 7% and 8% per year through 2026. For larger enterprises, cybersecurity costs could exceed $1 million per year.
Significant investments in cybersecurity should translate into fewer successful attacks, but that is not always the case. Companies often authorize spending without understanding the true risks. Before spending 50% of their IT budgets, organizations should conduct an enterprise-wide risk assessment to ensure they are doing all they can to mitigate risk.
The Committee of Sponsoring Organizations (COSO) defines enterprise risk management (ERM) as the culture, capabilities and practices integrated with strategy-setting and performance that organizations rely on to manage risk in creating, preserving, and realizing value. It involves:
ERM is a layer of business planning that evaluates the potential risks that might impact the outcome of a business strategy.
Being prepared for the unexpected is one of the best ways to protect a business's value. It is much easier to implement an existing plan than to create one in the middle of a crisis. That's one benefit of a properly conducted ERM. Other benefits include:
An ERM contributes to better decisions because it consolidates information related to strategies for easier consumption by decision-makers. Every aspect of the enterprise is evaluated to mitigate risk. One component of any ERM should be a Cybersecurity Risk Assessment. Without a careful analysis of an organization's technology footprint, an enterprise may fail to address a potential security risk.
By assessing cybersecurity risks, an enterprise can identify, prioritize, manage and mitigate the risks to its business value as a result of a cyberattack. A cybersecurity assessment informs decision-makers of potential risks and identifies responses that can minimize the consequences of a security breach. But, this is not the only benefit a cybersecurity risk assessment provides.
As the dependency on technology grows, so does the risk. When a company's technology consisted of a few desktop computers cabled together to form a local area network, the risk of a breach was relatively low. Today, businesses have multiple devices, including phones, tablets or sensors connected to a network that exchanges information with the cloud over an internet connection. Each device on the system represents a possible access point, and communicating over a public network such as the internet poses a myriad of risks. Here are just a few of the benefits of a cybersecurity risk assessment.
These are just some ways a cybersecurity risk assessment can support the more extensive enterprise-wide risk assessment.
Cybersecurity risk assessments should not occur in a vacuum. They need to address how the assessment relates to the ERM in terms of business strategies. Here are the main steps for conducting a risk assessment.
Conducting a cybersecurity risk assessment as part of an enterprise risk management effort is essential to the long-term viability of an organization. It is a way to ensure you are doing enough of the right things in the right order to mitigate risk. Contact us to discuss how to start assessing your cybersecurity risks.
GreyCastle Security will cover the standards for risk assessment that work for almost all regulatory and compliance requirements.