Cyberattack prevention is cost-effective, so why aren’t businesses investing to protect?

Cyberattacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cybersecurity measures necessary to avoid becoming the next victim.

In this Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cybersecurity Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs – from talking to the Board to proper budget allocation.

As geo-political concerns increase worldwide, what practical advice would you give to enterprise CISOs that want to fortify their organizations against politically-motivated cyber threat actors?

As geopolitical tensions continue to rise, preparation against politically motivated cyber threat actors is an uncomfortable but necessary process to prepare for, or better yet, deter from ever happening.

Conflicts that occur in cyberspace are more subtle and pervasive than the everyday conflicts we see on the ground. The bad actors are unapologetically brazen in their approach to attack, spreading disinformation, seising intellectual property and disregarding any sense of cost. This is a significant challenge for the modern day CISO to tackle.

However, CISOs are well aware of the tactics, techniques and procedures the threat actors are going to do. The MITRE attack framework list’s these twelve major TTP’s of adversary behavior. So, the question is, why is this still happening? In the digital threat landscape, you need to assume a breach, it’s not a question of if, and it is a question of when the adversary will attack. It’s not enough to just have this framework in place, you need to continuously test and validate these controls to deploy the best assessment and adversary emulations against your security controls at scale, enhancing visibility.

This, in my opinion, can enable the modern day CISO to view performance data continually and help them track how effective their security program is performing against the threat landscape.

How can a CISO effectively explain the cost of a data breach to the company’s Board? What type of information drives the point home for a non-technical audience?

The average cost of a breach is reportedly between $3.86-$3.92m, and in regulated industries like healthcare and finance/banking, the amount can be much higher with more dire consequences.

To explain the cost of a breach is highly dependent on the breach itself. For instance, when a consumer’s data is at risk – the loss of business is the most significant contributing factor, accounting for nearly 40% of the average total cost of a data breach. It includes many factors, customer turnover, lost in revenue and the expense of acquiring new business to mitigate reputational damage.

The presumed state-sponsored breaches on average cost more than $4.4 million making it the most difficult data breach for CISOs to salvage from.

Other factors such as the length of time it takes for an organisation to detect and contain an incident can be detrimental to the overall damage. The answer isn’t clear cut but security measures implemented before the breach can mitigate serious and costly scenarios. CISO’s need to be aware of the current threat landscape, in a post-COVID world, remote work has opened a volt to new vulnerabilities, the forward thinking CISO of today needs to put into place preventative cybersecurity measures to manage the long term risk to a company.

An organization can invest millions into hardware, software and people – yet still get breached. What’s the secret in explaining security ROI to those in charge of the budget?

To measure the success of an investment, you first need to quantify the cost of what you’re trying to protect. In a simplified model, the first step is to measure the given benefits of protection, this starts with an asset valuation. How valuable is this data to me? Those in charge of the budget need to execute the risk of that data not being protected. If I don’t take the necessary measures to mitigate the risk by investing in preventative cyber-security tools, how costly could this be when a breach occurs?

It is more cost-effective to validate an organisation’s controls rather than spending money on more tools. By adopting specialised frameworks to counteract cyber threats, for instance, running a threat-informed defence, utilising automated platforms such as Breach-and-Attack Simulation (BAS), CISO’S can continuously test and validate their system. Similar to a fire drill, BAS can locate which controls are failing, allowing organisations to remediate the gaps in their defence, making them cyber ready before the attack occurs.

Since anybody can be breached, CISOs are wondering if they should allocate more of their budget to cybersecurity insurance instead of new technologies. Do you think they are making the right choice?

Overreliance on cyber insurance without proper investment can lead to additional costs, making organisations more exposed to risk and vulnerabilities. While insurers can offset some cost, they often cannot repair a company’s reputational damage after a security incident. Equally, if a company spends millions on research and development (R&D) and IP is stolen, no premium that can recover the costs of that investment.

The best approach for CISOs is to pursue a proactive security strategy and balance it with cyber insurance for instance cyber-security tools like Breach and attack simulation (BAS) systems. Not only will an effective security strategy protect organisations and identify flaws before a cyber-threat, to even obtain cyber insurance, having these systems put in place is vital to reduce the cost of cyber insurance.

Having the right cover of cyber insurance is critical, and CISOs need to pay close attention to how insurance contracts are drafted. A lack of attention to detail can result in organisations not having the correct cover and particularly with the metamorphic nature of our current threat landscape, CISOs need to put into place specific cyber measures before they can buy cybersecurity cover.