CFOs in charge of budgeting often take on a rigid, in the box mentality. Even with the greater flexibility of today, a budget and framework is still needed in order to put a stamp of approval for money going out.
There is a lot of talk about retaining employees and how the added expense of raising salaries, increasing benefits, or upskilling is small in comparison to the price of skilled workers leaving. However, there is less talk about another challenge- Cybersecurity.
The price of a cyber attack adds up to far more than the immediate damage from the attack itself. Time spent fixing the issue, reputational damage, and lost customers are just a few of the future costs that can harm a company for years to come.
The sudden shift to working from home and greater reliance on the cloud, gave companies little time to update their policies, and as usual, hackers are one step ahead of the game. In 2020 alone, there were close to 800,000 cybercrime complaints, with losses reported at $4.1 billion!
In short, $50,000 saved on cybersecurity costs last year seems like a small price to pay when an attack is priced at $20 million or more. Executives would beg to pay that much in hindsight, but it’s usually too late.
The numbers are too large to ignore or to think “it won’t happen to me”. There is also too much at stake as cyber attacks not only involve money lost, but data, privacy, and legal concerns can provide a host of other issues. In order to avoid all of this and provide employees and customers peace of mind, there are 4 areas to improve cyber defence and rethink strategies.
1) Skilled employees
Many executives make the mistake of investing heavily in cybersecurity tech without equally investing in personnel to run it. But the tools are only as good as the ones who use them. Protective processes, configuring and monitoring threats, and responding in real time all need skilled employees to carry them out. Without them, the tools simply aren’t as effective.
However, another challenge presents itself in this sector. As is the case of many other professions, the cybersecurity skills gap is widening as well. While in 2019 there were 314,000 available jobs in the cybersecurity sector, job openings increased to 465,000 in the beginning of 2022. This is followed by increased competition, higher salaries, and longer time periods to fill these positions.
These difficulties should not deter companies from hiring the right talent, and paying enough for hiring the right people is well worth it. There are also other solutions as well. Part time employees or third party consultants can be a perfect fit for smaller organizations, while the number of cybersecurity experts can fluctuate depending on the services and needs of the company.
2) Processes and Awareness
One of the best ways to prevent attacks from ever happening is by being aware. IT, executives, and even non-technical employees should all have procedures in place in order to identify incidences. Time is critical in stopping the damage, so having everyone aware and alert can save a lot of money and headache.
One cause for concern that covers the entire company is the increased reliance on third parties and complex supply chains. The increased exposure and privacy concerns provide an easier point of entry for hackers or other cyber attacks. While many organizations opt for the “zero-trust” policy, each company should have a widespread plan in place.
3) The right technology
First and foremost is finding the most fitting cybersecurity technology for the company. Even with all the right intentions and skills, the only real way to fight cyber threats is through technology. As opposed to other categories where underspending is often a problem, technology implementation can lead to overspending.
There are unlimited cybersecurity options on the market, with anything from complex multi million dollar systems to basic downloadable softwares available. Solutions such as Palo Alto Networks and Checkpoint top the list of cybersecurity companies but there are hundreds of great options for organizations of all sizes and budgets.
The sheer number of options can overwhelm executives and cause them to make a bad decision based on a good sales pitch. Unlike hiring employees where the budget needs to be flexible in order to find the right match, when closing on cybersecurity technology it is important to come prepared. The CFO, IT, and executives should discuss what is important and needed for the company, and in turn what the budget framework is. This will be followed up by confident meetings and the right technology for the company- without over or under spending.
4) Cyber Insurance
The relatively new concept of cyber insurance is a combination of what executives love and hate- Reducing one more headache by being insured, but adding on yet another monthly set fee to the growing list of expenses. Cyber attacks can be extremely expensive and an insurance policy can save a lot of that money and quite possibly save the business from going under.
Cyber insurance not only covers damage, but can also cover cyber or legal consultancies. The market is still quite small and young, meaning that supply has not yet caught up with demand, and prices can be pretty high. Insurance ranges from a few hundred dollars for premiums, all the way up to $2,500 and above, depending on the size and the coverage.
Cyber insurance is a complicated subject and needs a lot of thought before jumping in. Similar to implementing the right technology, it needs to be set in a budget framework and consulting third party agencies can help a company figure out the right policy for them.
Conclusion
Cybersecurity is something that needs to be paid attention to more, as the number of attacks and the severity of them are continuously going up. Many companies are far behind in implementing measures to keep themselves safe, while many others are unsure of how it should fit into their budget. The CFO plays an important role in these decisions. Well thought out planning will ensure confidence in the decisions, a budget that fits the company needs, and peace of mind for the organization to be prepared for cyber attacks.