Why Don’t Companies Invest in CyberSecurity?

Hacks and breaches of IT systems in companies of various sizes have been increasing in prevalence over the last few years. With so much negative press, so many people being affected, and lives being destroyed, you’d think that more effort would be put into making sure hacks like these don’t happen. It turns out there’s pretty good reason why it doesn’t seem much is being done about them, but that doesn’t mean things shouldn’t change. With the cost of preventing a breach being higher than the cost of the breach itself, there’s currently little reason from a company’s standpoint to make any changes to their cybersecurity.

Breaches don’t cost companies all that much

While the cost of breaches that we hear about in the news sound like really big numbers, they don’t end up costing those large companies nearly as much as is implied. Nor does much of the cost actually footed end up falling on the companies who were hacked. To truly measure the effect of a hack the cost of a hack must be seen in relation to the annual revenue of a company. For example, if the cost of a hack is reported to be $200 M, but the company has annual revenue closer to $1 B, that is not much of a concern.

It’s difficult to make cybersecurity a top priority

In addition to the initial loss being low comparatively companies get a significant portion back from insurance and they also receive tax deductions for breach-related expenses. In fact, Nexia surveyed companies with revenue ranging from $10 M to $1 B and 39% of them said that cybersecurity was not a main concern for them. Additionally, only 35% said they were very satisfied with their cybersecurity programs. The challenge to having a cybersecurity program is needing to have qualified staff when. That is difficult, though, when threats are always changing. Budget is a big problem for non-profits, and time is a factor for many companies, as well. It comes down to only large companies being able to have staff dedicated to cybersecurity. The more breaches there are, though, the less consumers are able to distinguish between “good” and “bad” companies—they just see hacks as normal.

Why put effort into avoiding something if chances are low to begin with?

The Ponemon Institute does independent research on data security. They have discovered that during a 2-year time span companies have a 1% chance of losing more than 100,000 records. So basically the risk is not very high at all. This could explain why 20% of companies surveyed don’t have a cybersecurity system in place when they should. Some industries like financial, banking, and healthcare require some cybersecurity programs to be in place for policies, procedures, defined governance, and ownership, though. Despite regulations being in place for healthcare-related companies, it is these companies that experience 60% of all the large breaches reported in 2017. Technology companies have the greatest number of files hacked. Retail and finance tie for 3rd. As you can see, hacks are more likely to happen to companies relying on online technology more than others. Hackers want quick, substantial financial gain, which ends up being found in companies that work with people’s daily lives and have personal information stored like banks, financial institutions, hospitals, schools and universities, retailers, and government.

The costs to Sony weren’t as bad as expected

Think about what happened with the Sony hack towards the end of 2014. The breach was carried out by North Koreans who got access to internal email exchanges, the personal data of tens of thousands of people (including SSNs), and undisclosed movies. It was initially estimated to be costing the company $100 M. Sony ended up paying around $15 M in investigation and remediation costs, and $35 M was spent restoring IT systems. The keyword being initially. After the insurance money they received and breach-related tax deductions, their costs were much lower or almost entirely covered. Sony even got free publicity for one of the movies released “The Interview”, which ended up making $40 M in online sales. Less than 6 months after their breach their reputation was back to normal with their customers.

Home Depot lost .01%; Target lost .1%

When Home Depot was hacked in 2014 they lost 56 million credit card numbers and 53 million email addresses. After they got all their tax credits the breach ended up costing companies $28 M, which is only .01% of their annual revenue. In other words: pennies. Target was a similar case. They lost 40 million debit and credit card numbers in addition to 70 million other records. The cost to Target before they were given a break was $252 M. Their insurance coverage got them back $90 M and their tax deductions brought the total they owed down to $105 M—.1% of their revenue in 2014.

Credit unions face a lot of the cost

Companies that are breached do face some costs such as fines by Visa and MasterCard networks in relation to credit card numbers being stolen, but most of the time it’s not them that face the brunt of the consequences of their lack of cybersecurity. Financial institutions are responsible for any fraudulent charges from instances of stolen payment information. Credit unions ended up spending $60 M to replace 7.2 million credit cards for people whose cards were compromised in the Home Depot hack in 2014. That amounts to a little over $8 per replaced card. Similarly, replacing cards related to the recent Target hack cost credit unions a reported $30 M. Unfortunately for the banks, consumers end up blaming them instead of the company that lost their information to begin with. Financial institutions are an unfortunate recipient of the effects of large hacks.

Other than the effects experienced by banks and credit unions, the consumers whose data was lost pay in time and money to get things straightened out when their information is stolen. It may cost them their identity, emotional distress that may last for years, changes in interest rates, and more.

Government regulation is working against data security

With the cost of hacks not being great enough to provide motivation to do things differently there would need to be government regulation in place to make companies take data security seriously. Alas, that doesn’t seem to be the direction that governments worldwide are going. In fact, most regulations are currently centered around sharing information which would increase access to information for certain organizations rather than securing it. For example, Australia is proposing mandatory metadata retention for two years; the U.S. has created a Cyber Threat Intelligence Integration Center, but it has been slow at coming up with cybersecurity legislation. Experts don’t think the intelligence center will solve any problems, though. The U.K.’s Prime Minister David Cameron actually wants to ban encryption and improve information sharing between the U.S. and the U.K. Obviously, governments aren’t helping the problem. The European Union could be serving as an example for a step in the right direction, though. With their new General Data Protection Regulation (GDPR), in full effect since May 2018, they now have the world’s strongest data protection rules. Breaking this law would result in harsher fines than any company has seen to date.

There is clearly a long way to go before monstrous hacks start decreasing. There just isn’t enough motivation for businesses to safeguard information if they aren’t the ones losing out. It’s time something be done differently.