The threat of a successful cyber attack ranks as one of the most significant business risks organizations of all sizes and across all industries face. Business and IT executives have good reason to rate cyberthreats as a high-level risk -- and to invest in a strong cybersecurity program for their company.
The volume and sophistication of cyber attacks have grown significantly since the first computer viruses emerged in the 1970s and the Morris worm became the first major internet-based attack in 1988. Moreover, the number of devices connected to the internet and corporate networks exploded during the past few decades. The reliance on IT systems for everyday business tasks also spiked in recent years, driven partly by digital transformation initiatives in companies.
Consequently, a single successful attack can have a catastrophic impact, with the potential to expose personal information, bring a company's operations to a halt, cripple critical infrastructure and even physically harm people.
Recognizing the importance of cybersecurity, enterprise leaders in many organizations have increasingly prioritized it, seeking to implement more rigorous policies, procedures and technologies to defend against cyberthreats of all kinds -- data breaches, ransomware attacks, phishing and more.
This article is part of
For instance, the "2024 Focus on the Future" report from software vendor AuditBoard identified cybersecurity and data security as the No. 1 risk category among surveyed risk management and internal audit executives for the third year in a row. More than 80% of the 453 respondents also put it in the top spot for expected audit efforts in 2024. Similarly, professional services firm PwC's "2024 Global Digital Trust Insights" survey found that mitigating cyber-risk was second on the priority list among the 3,876 business and IT executives who responded, outranked only by managing digital and technology risks.
Such viewpoints are pushing up cybersecurity budgets. Consulting and market research firm Gartner projected that combined spending on security and risk management by user organizations worldwide will total $215 billion in 2024, a 14.3% increase over the $188.1 billion it estimated for 2023.
Why strong cybersecurity is critical to business success
The following factors show why effective cybersecurity is seen as a necessary part of doing business:
- Nearly every organization requires IT systems to function, which has significantly increased the consequences of a successful cyber attack. "We have become so dependent on technology that the majority of businesses cannot operate without it," said Carl Eyler, director of the National Cybersecurity Institute at Excelsior University, an online school based in Albany, N.Y.
- Data is now one of the most valuable assets -- often the single most valuable one -- in most companies. Any security issues that hurt an organization's data quality or access could affect business operations.
- Cybercrime continues to grow in nearly every way. The number of bad actors is increasing, as are the sophistication of their attacks and the access they have to tools and technologies to help launch those attacks. As an example, the growing availability of ransomware as a service and other as-a-service malware has made it easier for attackers to strike, said Sarb Sembhi, a member of the Emerging Trends Working Group at professional association ISACA and CTO of Virtually Informed Ltd. Google Cloud's "Cybersecurity Forecast 2024" report made similar points, warning among other things that attackers are using AI to their advantage and that new trends in malware development are making it faster to create and harder to detect.
- Government regulations and industry requirements mandate cybersecurity standards for many businesses, giving them no choice in making cybersecurity a priority. The U.S., individual states, the EU and other governments all have laws requiring organizations to safeguard sensitive data and implement prescribed cybersecurity practices. For example, the U.S. Securities and Exchange Commission in July 2023 adopted rules requiring all companies that file registration statements for stock offerings to disclose "material cybersecurity incidents" and to annually submit information on their cybersecurity strategy, governance and risk management initiatives. A case in point on industry mandates is PCI DSS, which sets standard security policies and procedures for any entity that accepts payment cards.
- Many consumers and business partners now have higher expectations that companies will make the necessary cybersecurity investments to thwart cybercriminals from stealing customer information and doing anything else that could harm customers and partners by extension. Meeting those demands presents business opportunities. "Creating and building trust with customers can be translated into revenue gains," said Erik Avakian, a technical counselor at Info-Tech Research Group and former state CISO for the Commonwealth of Pennsylvania.
Cybercrime's business costs and consequences
The numbers on the costs of cybercrime are staggering. Here are some overall figures:
- The average cost of a data breach among 553 organizations worldwide was $4.45 million, according to IBM's "Cost of a Data Breach Report 2023," which was based on a study by research firm Ponemon Institute that examined breaches occurring between March 2022 and March 2023. That was an all-time high for the annual report and amounted to a 2% increase from the year before and a 15% one from the 2020 level.
- Almost identically, PwC's digital trust survey found that the average cost of a damaging cyber attack was $4.4 million, with 36% of respondents reporting that their organization had been hit by a data breach with an estimated cost of more than $1 million in the past three years.
- An early 2023 survey found that the average ransom payment in response to a successful ransomware attack during the previous 12 months was $1.54 million, according to "The State of Ransomware 2023," a report from cybersecurity software vendor Sophos, which commissioned the survey of 3,000 IT and cybersecurity professionals. That was nearly double the average payment of $812,380 in the 2022 version of the annual survey. In addition, the 2023 survey respondents reported an average of $1.82 million in estimated recovery costs, covering things such as downtime, people time, device costs and lost business opportunities.
- The annual cost of cybercrime worldwide is expected to amount to $8.15 trillion for 2023 and increase to $13.82 trillion in 2028, according to predictions by market data and research firm Statista.
The list of cybersecurity incidents goes on and on. For example, a September 2023 ransomware attack on MGM Resorts International that used social engineering techniques to gain access to privileged user accounts cost the hospitality company an estimated $100 million and disrupted customer room access, casino games and other services. MGM said it expected its cybersecurity insurance policy to cover all the costs, but it also disclosed that the attackers stole personal information on some customers, including driver's license, Social Security and passport numbers.
Caesars Entertainment was hit by a similar attack the same month. It paid a $15 million ransom, according to The Wall Street Journal, and likewise disclosed that the attackers obtained sensitive personal information on customers. In an SEC filing, Caesars said it took steps to "ensure that the stolen data is deleted by the unauthorized attacker, although we cannot guarantee this result."
In another well-known example, a 2021 ransomware attack on Colonial Pipeline led to gas supply shortages in multiple U.S. states and cost the pipeline operator $4.4 million in ransom payments, some of which was later recovered by the U.S. Department of Justice. And Denmark-based shipping giant A.P. Moller-Maersk suffered upwards of $300 million in losses after a 2017 malware attack shut down the systems used to operate its shipping terminals around the world.
An organization that finds its cybersecurity defenses have been penetrated typically faces a long list of expenses as it seeks to repel the attack, restore affected systems and recover from the incident.
In addition to the required staff time, Eyler said organizations can expect to pay for outside technical support, inside and outside legal counsel, data breach notification costs and regulatory fines. They'll also have costs due to lost sales and business opportunities. "You don't know how far-reaching the costs are going to be when you've been breached," he noted.
A company's reputation with customers likely will also take a hit, which can translate into additional lost business in the future. Sembhi said the costs and consequences of an attack could even tank organizations -- especially those without enough resources and reserves to weather the event's aftermath. "With small businesses, one attack can take them out," he warned.
Business benefits of effective cybersecurity
The ramifications of cyber attacks have pushed many enterprise leaders -- directors, CEOs, CFOs and other senior business executives, as well as CIOs and CISOs -- to focus on improving their organization's security posture.
For example, professional services firm Deloitte's "2023 Global Future of Cyber Survey" found that 70% of more than 1,000 cybersecurity decision-makers said security issues were on their board's agenda either monthly or quarterly. In addition, 86% said cybersecurity initiatives had made a significant contribution to at least one key business priority, including improvements in things such as customer trust, brand reputation and operational stability.
Such findings reflect a shift in thinking among executives who now see the cybersecurity program as an enabler of business operations, not merely a backstop for preventing losses.
"That's the perspective companies have to have when it comes to cybersecurity," said Fred Rica, a partner in the advisory practice at professional services firm BPM. "It allows them to do things they couldn't do before, and it allows them to be more efficient, save money and be more productive."
To illustrate the point, Rica cited the common business strategy of a company wanting to build a self-service portal for its customers. But that's only feasible if the company has appropriate security measures to authenticate customers and is properly safeguarding their data, he said.
Key elements of a cybersecurity strategy
There's no universal basis for what makes a strong cybersecurity program -- each organization must determine its required level of security. To do so, Rica said companies should primarily think about whether their security efforts are appropriate from a business perspective.
That involves concepts such as risk appetite and risk tolerance and how much residual risk business executives are willing to accept. "If they're comfortable that they've identified their risks, that those risks are managed and that the risks they've left on the table fit their risk profile, then they have a good program," he said.
Organizations also must identify critical systems and assets and understand the particular cyberthreats they're most likely to face, so they can invest in the right amount of people, processes and technology to mitigate security risks to an acceptable level, Avakian said. He added that developing a cybersecurity strategy is an ongoing exercise because "things change all the time."
Other key elements of creating a successful cybersecurity strategy include the following:
- Alignment with business goals.
- Visibility into where data resides within the organization. "Understand where it is, who has access to it, what access controls are in place and the entry points to the data," Eyler said.
- An understanding of the security and data privacy laws with which the organization must comply.
- A detailed cybersecurity risk assessment that evaluates the organization's existing ability to protect itself from cyberthreats and identifies where its defenses fall short. "Measure where you have gaps and then decide what initiatives to put in place to close those gaps," Avakian said.
- A defined set of cybersecurity metrics for measuring how well the security program performs and how it improves over time.
- A cybersecurity governance structure to ensure that employees adhere to established security policies and procedures.
- Support and involvement from senior executives to help ensure that there's adequate funding and high-level advocacy for the cybersecurity program.
- A detailed incident response plan that's regularly tested and practiced by both the security team and business units.
Tips on implementing and managing a cybersecurity program
The following best practices can help create an effective cybersecurity program:
- Build a security-minded culture. Developing an internal culture that emphasizes cybersecurity is a must. "All stakeholders should know and understand what their responsibilities are from a cybersecurity perspective because security should be everybody's job," Eyler said.
- Implement a comprehensive cybersecurity awareness and training program. To help foster a cybersecurity culture, all employees and relevant stakeholders should be trained on the importance of cybersecurity and the particular policies and procedures adopted by the organization.
- Create cybersecurity champions. These are people throughout the organization who can evangelize the importance of following security policies and procedures. "Championing security starts with the CISO, but the CISO can't do it all," Avakian explained.
- Focus on improving cybersecurity performance over time. "Every day should be about continuous improvement," Avakian said.
Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.