How, Why & When to Budget for Cybersecurity Incidents

How, Why & When to Budget for Cybersecurity Incidents

How secure are your company’s systems and data infrastructure? Better yet, how assured are you in the planning and overall budget to accommodate the costs of successful malicious activity against your business? Today, Fred Cobb, Executive Vice President and Chief Information Security Officer at InfoSystems, helps shed light on the importance of planning for security breaches in an ever-evolving digital landscape.

Understand Your Risks, Cyber Hygiene, and Budget

The average cost of a cyber incident leading to a data breach costs businesses an estimated $4 million USD based on 2019 numbers — and those numbers are expected to keep rising. The cost of not budgeting for cyber incidents could seriously impact the cash flow and financial health of many organizations.

When planning a cybersecurity budget, it’s crucial to consider the risks of a cyber attack. Whether business leaders simply overlook this aspect of budgeting or it’s a by-product of wishful thinking (or a combination of both), underestimating the cost of successful malicious activity against your organization can lead to large unplanned expenses. 

“Companies with mature cyber hygiene typically do a good job in calculating costs for firewalls, SIEMs, endpoint protection solutions, patch management, MDR, employee security training, cyber headcount spend, and more,” Cobb says. “However, accurate budgetary planning for a cyber incident that leads to lost productivity, expensive recovery time, third-party incident response services, and even reputational harm is akin to a rainy day fund.” 

Even if a cyber insurance policy is in place, it may not cover the incident in total, or it may come with a very high deductible. Depending on the details of the policy, it may not cover specific cyber events at all.

“It’s hard for many companies to overcome the flawed mindset that ‘cyber attacks always happen to the company down the street, not us,’” Cobb says. “As the cost of the cyber security spend becomes a bigger number in the expense accounting column, a false sense of complete risk mitigation begins to take shape. Companies need to keep in mind that outpacing the bad guys with technology is not 100% guaranteed, and they might need to budget for the unexpected.”

A Lesson from COVID-19

Consider the COVID-19 pandemic. If we travel back in time just one year, did anyone anticipate a global pandemic and the impact the pandemic had regarding a huge shift to telecommuting and all of the cyber concerns that come with the reality of a distributed workforce?

Even those companies that have mature business continuity plans with language therein to address pandemics and other natural disasters did not accurately predict the long-term needs to securely support a mobile employee base. 

Apply that thinking to a cyber incident. Using the aftermath of a cyber incident to associate indirect cost, many of the expenses that result from this type of event are not given proper consideration due to the intangible nature of the unplanned expense. It’s often hard to earmark money for something that has never happened. Additionally, many companies that purchase cyber incident insurance have the misguided notion that their insurance policy will cover all associated needs. This creates a false sense of security. 

“Companies must include cyber incident response, containment eradication, and post-mortem activities at a hard cost in the budget,” Cobb says. “Realize that the time and place are not necessarily predictable, but that the possibility of such an occurrence has already become a question of ‘when’ and not ‘if.’ Budgeting for insurance deductibles, the cost of third-party incident services, and the cost of translating lessons learned into actionable items may involve time and materials costs that shouldn’t be overlooked.”

If you’re working to build or update your company’s cybersecurity program, the team at InfoSystems can help. Contact us today or tune in to our podcasts covering cybersecurity and other IT topics.

Leave a reply

Your email address will not be published. Required fields are marked *