Experts say cybersecurity cost tied to risk
Even as more companies increase budgets amid rising cybersecurity threats, some local experts have said that it continues to be a very difficult task to determine the true cost of dealing with these issues.
While global statistics suggest average costs of half a per cent of total annual revenues of companies or a 12 per cent spend from IT budgets worldwide, the experts believe there can be no minimum or maximum spend on cybersecurity, especially as more entities move to safeguard privacy rights and to ward off attacks.
“In keeping with the Data Protection Act, what companies can do is to look at the type of data they are processing as well as the quantity of that data and match it against that which is out there. This while they also look at the risk that this data is being exposed to. When all of this is taken into consideration, that is what will determine what the spend is, but as it is, there is no prescription or one-size-fits-all — it must be a risk-based approach,” said CEO of Design Privacy Limited and attorney-at-law Chukwuemeka Cameron while speaking at a recent Jamaica Observer Business Forum.
Cameron, in underscoring the nature of risks, which he said is often linked to the type and volume of data held by companies, urged entities, in light of all that has been happening globally as it relates to rising cybersecurity incidents, to be prepared to invest a lot of time and some money if they are to properly protect their infrastructure.
For head of the Jamaica Cyber Incident Response Team (JaCIRT), Lieutenant Colonel Godphey Sterling, in order for companies to effectively deal with attacks or breaches from a cost perspective, it becomes important for them to know what their information assets are. In doing so, he believes this can help them to “better apportion resources to protect these assets”.
“It, therefore, isn’t a case of 100 million or 10 dollars, but more so about what is it that you are trying to protect and the value of such a thing to the business process and how much it requires to protect it,” he said.
For IT and data protection experts at Symptai Consulting and tTech Limited, both of which offer a wide range of cybersecurity products, the level of investment they believe should also match how strong and efficient companies want their systems to be.
Norman Chen, tTech’s CEO, in warning that the days when companies and individuals would rely on the use of an antivirus software as a single defence mechanism has long passed, said that the recent growth in attacks, which are now being done repeatedly and more sophisticatedly, certainly calls for increased investment and at levels that match risks.
Data from the latest PwC Global Digital Trust Insights found that as more companies continue to bulk up investments in cybersecurity to protect against cyberattacks, some eight out of 10 or 79 per cent of them expect cyber budgets to increase above the 65 per cent at which it stands in 2023.
“Organisations who show greater maturity in their cybersecurity initiatives report a greater number of benefits and a lower incidence of costly cyber breach,” the PwC report noted.
According to a 2022 Forbes report, damages from cybercrimes are predicted to grow to an estimated US$10.5 trillion in 2025 and as much as US$13.8 trillion up to 2028. These costs often include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
“In the process of safeguarding their companies from cybercrime to avoid financial losses, company stakeholders should carefully consider the potential performance impacts of any security solution they might purchase. They must strive to choose security solutions that run efficiently or they will ultimately have to significantly increase their cloud spending,” the report further said.