Cybersecurity is expensive… compared to what?

During 2020 and so far in 2021, we have seen how cybersecurity is increasingly becoming one of the cornerstones of business continuity. Regardless of the sector of the organization in question, and whether it is public or private, computer systems are used in such an integrated way with other processes that a lack of them would structurally affect productivity and could sometimes cause supply problems in critical sectors.

It is often said that cybersecurity is expensive but, although it may seem costly to us, before saying whether something is expensive or cheap we need to have something to compare it with. For many products and services this comparison is reasonably straightforward because we can see the direct profit it gives us: a service may cost 15,000 euros a year but if we calculate that we are going to make an annual profit of 30,000 euros from it, it could be considered cheap. Calculating the return on investment in cybersecurity, on the other hand, is not trivial at all, since its benefit is not seen in profits but in avoiding losses.

If we take the attack on the US company, Colonial, as an example we can see that the ransomware it suffered in 2021 has cost it, at least, a payment of 5 million dollars in bitcoins (of which the FBI has recovered bitcoins worth approximately 2.3 million dollars). This must be considered alongside the loss of business from May 6 to 9, 2021, as well as the impact on a national level, with it being a critical infrastructure. And, we must not forget the effects of the reputational crisis (the investigation of the attack reached the US Congress).

A similar example would be the attack suffered by the multinational meat company JBS, for which it paid a ransom estimated at 11 million dollars in bitcoins. Again, this amount must be considered alongside the cost caused by the loss of business or goods—let’s remember that meat is a perishable product—and the reputational impact.

We also have the case of Electronic Arts. On June 10, it reported a security incident on its computer systems where, according to press reports, attackers stole the source code for FIFA21 and the Frostbite game engine from more than 780 GB of data. Both pieces of software are key products for its business: one as a sales success, and the other as a development tool. This makes the potential loss of sales from piracy of its software, both present and future, very difficult to quantify.

That’s why all branches of cybersecurity (design and architecture of applications and systems, consulting, compliance, incident response, monitoring, computer forensics and auditing) are essential when it comes to trying to reduce the exposure of organizations as much as possible, i.e., making an attack unprofitable for attackers because the cost/benefit is very low.

It should also be borne in mind that all these activities are cyclical. Technology, as we all know, evolves at full speed. This means that the measures taken today may not be the same as those we would have taken six months ago, or those we would take six months from now. And, in order to provide maximum value during these cycles, it is necessary to choose teams with great technical knowledge and, additionally, not lose sight of the needs of organizations.

For all these reasons, at GMV we recommend designing specific programs for our clients, focusing on their needs and their current state in order to help them acquire maturity in the field of cybersecurity and manage to reduce, as much as possible, the cost/benefit ratio of potential attackers.

These programs should always start with an initial diagnosis in order to find out what state the organization is in and define what it needs. Some cases will see the focus placed on the first phases: redesign of architectures and processes. At other times, more monitoring and powerful cyber defense services will be needed. And at others, regular validations of exposure levels. But in most cases, the answer is a combination of all of the above to improve those where the organization has already invested and implement those that do not yet exist.

As I have mentioned, we often hear that cybersecurity is expensive. But when someone says this, what they are really comparing is the cost of implementing it versus the current cost. What is very difficult to quantify—often impossible until you have been the victim of an attack—is the cost of implementing measures versus the cost of being successfully attacked. This comparison leads to the perspective that cybersecurity comes at a high price, but it is the difference between a situation where millions are lost and one where those losses can be contained.

Author: Paula Gonzalez

Head of GMV’s Secure e-Solutions Audit Section