[BreachExchange] Is Effective Cybersecurity Expensive?

[Destry Winant]

https://www.infosecurity-magazine.com/blogs/effective-cybersecurity-expensive/

If you ever look at the dizzying array of security technologies and
the price tags associated with them, or at the average cost of
acquiring and retaining a lesser-spotted information security
professional, it can leave everyone, both inside and outside of the
security industry, with the impression that achieving effective
cybersecurity is mightily expensive.

If cybersecurity is generally very expensive, are there reasonable
measures that can be taken using just a small amount of research, some
common sense and a much smaller budget?

The Average Cost of Cybersecurity
One problem with working out the average cost of getting appropriate
security in place is the number of differing statistics on the topic.
Global spend on information security is estimated anywhere between 0.5
to 1.5% of global GDP (all revenue generated across the planet in
2018).

Within that overall estimate, there are of course vast differences in
how each person and organization approaches security. Some spend
nothing, some spend very little and a few organizations spend quite a
bit.

One of the issues is that due to the way the effective cyber-attacks
work; it is usually in the interest of the cyber-criminal or other
interloper to keep his or her presence unnoticed for as long as
possible, using a technique referred to as the Advanced Persistent
Threat (APT).

Remaining undetected is what cyber experts refer to as dwell time –
and you will notice that many of the targets of the largest mega
breaches end up admitting that the theft occurred many years before it
was finally identified and disclosed to those who were impacted.

The fact that so many large organizations continue to be caught out by
cyber-attacks can leave the average person thinking there is no chance
to secure his or her own information. However, the challenge for each
digital environment is really that the larger it is, the harder it is
to ensure that all of the right security measures are consistently
implemented.

After all, a good hacker only needs to find one way through. My own
experience of delivering cybersecurity extends to many different
environments:

Home
Small business
Global multi-national security programs

The Cost of Home Cybersecurity
There are plenty of FREE resources that can help the average person
secure his or her own environment – but the real cost here is the time
required to ensure that each technology is researched and configured
as securely as it can be.

There are also financial requirements, because to get to a reasonable
level of home cybersecurity still requires people to do other things,
such as have a safe back-up service they can store their important
data to, install some effective security software (which usually has a
cost) and replace (or disconnect) any devices where the security
support has expired.

My experience of home users is that most environments have almost no
security – and the only reason that they continue to function is
either because the person has the good fortune not to have been
targeted (yet), or that their home environment is crawling with
viruses, but the attackers are happy to just continue to extract value
from the victims.

The Cost of Small Business Cybersecurity
It would be tempting to think that small business cybersecurity should
be cheaper than it is for large businesses – but my experience is that
this is not the case.

To get security right for a small business costs considerably more of
a percentage of the operational budget than it does for a large
business. Why? Because small businesses do not get the economies of
scale that larger businesses can. For example, it not only costs small
businesses more money per device to buy security software, but they
also still need to implement the same critical and major security
controls, and can only spread that cost across a much smaller revenue
base.

Whereas a large organization might look at spending 1-2% of the
operational budget on security, any small business looking to get
security up to a reasonable standard could be looking at a figure
closer to 4% or more (based on personal experience of reviewing such
environments).

The Cost of Large Organization Cybersecurity
Depending on the particular activities and risk appetite of each
organization, they may spend anywhere from a fraction of a percent to
a couple of percent on implementing and sustaining security.

But, the cybersecurity challenge for large organizations is not one of
pure financial cost. To make security effective, they have to embed
security principles within the heart of everything they do. Sometimes
this is referred to as achieving security by design and increasingly
people may also refer to this as DevSecOps. Whichever description is
used, the fundamental remains that security has to be included from
the outset and sustained throughout the lifecycle of each technology
that is used – right up to and including retirement.

For me, the CMMI Institute’s Capability Maturity Model Integration is
a process model that, when applied correctly, can really help small
and large organizations to understand where they are on their own
journey to achieving effective cybersecurity. It is a scale that can
be used to measure just how mature (or not) each major and critical
process is. When I have measured organizations using the CMMI scale,
it is usually very easy to see exactly where the security engineering
gaps that present the highest risks are.

Can Cybersecurity be Inexpensive?
In short, it depends. The more technology you want to use, the more
time and effort is required to ensure appropriate security is put in
place. One thing to note, though, is that the earlier on that security
is considered, the cheaper it is to implement and sustain – just ask
anyone who has suffered the cost of trying to recover from a
significant cyber-attack.

However, basic cybersecurity measures are usually enough to keep most
threats at bay in home and small business environments, especially if
important information is regularly backed up to a safe location just
in case.

Basic cybersecurity does not have to be expensive from a financial
perspective – but it certainly does require taking the time to
carefully consider each new technology, research and implement the
right security settings and to keep different technologies as
protected from each other as possible.

As one friend recently asked me; “What harm can placing one cheap
smart bulb in my home do? I don’t really care if a hacker switches on
and off one bulb.” But, of course, that one device could be just the
entry point a hacker needs into everything in that home network,
especially if it has known security flaws – security problems that can
probably be identified and prevented through a very simple Internet
search.