The cost of cybersecurity

In today’s digital era, overlooking cybersecurity can be a critical mistake for businesses.

Just like how locks and alarms secure a physical office, cybersecurity measures are vital to protect against the ever-evolving threats to data and intellectual property.

With cyberattacks becoming increasingly sophisticated, the crucial question for businesses is not about whether to invest in cybersecurity, but how to do so effectively and efficiently.

Cybersecurity: A business imperative

Recent breaches at Latitude, Medibank and Optus have underscored the severe reputational and financial impacts of inadequate data protection, marking a wake-up call for businesses across the board.

Cyber Security Cooperative Research Centre Chief Executive Officer Rachael Falk said there was a universal need for robust data safeguarding measures, especially when it came to customers’ personal information.

“Organisations must understand what their valuable data is, who has access to it, how it is stored, who is protecting it and how well it is protected,” she said.

“While the biggest threat may be cyber criminals, they often get in through a mistake or a process not being followed.

“Cyber strategies are not an optional extra – they are critical to raise the profile and importance of cybersecurity within an organisation, set a clear agenda for uplift, delegation of responsibilities and to ensure if things do go wrong, there is a plan to respond and remediate.”

However, Ms Falk highlighted investment was necessary to achieve these strategic aims.

“It is important to take a risk-based approach to investment and uplift, understanding what needs to be protected and where weaknesses exist, targeting spending towards these areas,” she said.

“Importantly, this is not just about getting more tech, this is about raising awareness with staff, suppliers and contractors.

“And, quite simply, if it matters to the board and chief executive officer, it should matter to all staff and contractors.”

Recognising and mitigating threats

As organisations work to bolster their cybersecurity strategies, understanding cyber threats becomes critical.

Edith Cowan University Cyber Security Practice Professor Paul Haskell-Dowland said the nature of threats varied over time but some risks were ever-present and evolving.

“While viruses and direct systems attacks are still to be found, one of the biggest threats is the prevalence of account compromise through credential theft, phishing and credential stuffing,” he said.

“It isn’t necessarily the compromise of our credentials but the consequential damage that can have a significant impact."

“Once a cybercriminal gains access, the potential for ransomware can result in significant impacts for an organisation.

“Not only losing access to your data and systems but also the threat of public release of the data – a threat which remains even if you pay the ransom.”

Balancing costs and cybersecurity needs

Focusing on cybersecurity implementation, Professor Haskell-Dowland said despite recent expansions in the scope of the Security of Critical Infrastructure Act 2018, many organisations fall outside its requirements.

He said the cost to cover basic risks could be relatively low, based on a clear understanding of existing information technology (IT) infrastructure, including anything outside the business’s physical location such as cloud-based systems, services and third-party providers.

Professor Haskell-Dowland advocated for starting with simple impactful measures such as adhering to the essential eight to enhance IT system resilience without incurring significant costs.

“Steps such as applying patches to computers’ operating systems and applications like Microsoft Office will help by reducing the attack surface,” he said.

“These are usually provided by the relevant vendor for free and will make your IT systems more resilient, but don’t forget mobile devices and staff using personal devices.

“Although some may find it inconvenient, using multi-factor authentication removes, or at least reduces, the potential for credential theft and re-use.

“Credential stuffing is a common technique used by cyber criminals, but by enforcing good password practice, you can make your organisation a less attractive target.

“Other techniques may cost in time or effort but starting with simple measures and changing practices to put security first will help with future security countermeasures.”

Determining priorities

Ms Falk said determining the priorities for cyber investment was a unique decision for each organisation, dependent on its sector, specific needs and maturity.

She also highlighted the importance of mastering basic measures such as securing email systems, implementing adequate technical controls and conducting regular staff training.

“If you can get these right – and rinse and repeat regularly – your organisation will be much more secure as a result,” Ms Falk said.

However, according to Ms Falk, managing cybersecurity risks could present time and resource challenges, especially for small businesses.

But she said if you had a digital presence, you must have a budget to protect your digital assets.

“It takes a significant investment of time to ensure cybersecurity is up to scratch and that it is being adequately maintained – it’s not a set-and-forget task,” Ms Falk said.

The role of cybersecurity insurance

Ms Falk said the decision whether to take out cyber insurance was also unique to each organisation.

“It is important to note the checks and balances in place to get coverage have become much tighter, meaning to get insurance, an organisation has to demonstrate a particular level of cyber maturity,” she said.

“Furthermore, cyber insurance cannot be used as an excuse not to have strong cybersecurity measures in place.

“It should form part of an organisation’s holistic approach to enhancing its cyber posture.”

Measuring the return on investment

Professor Haskell-Dowland said evaluating the return on investment of cybersecurity investments was challenging, comparing it to fire safety and workplace health and safety.

“With good security, you are aiming to have no cyber-related incidents, however just like with health and safety, it is likely to be predominantly about mitigating risks, rather than eliminating them,” he said.

“Good and sustained cybersecurity investment reduces the likelihood of an incident.

“It is the cost of not doing it which should be considered – that is, the cost of an incident both in direct financial costs and consequential damages to your business and reputation.”