Why cybersecurity matters

Despite companies (globally) increasing their cybersecurity spending each year - estimated at $71.1 billion in 2022 - the number of breaches also continues to rise. 

This trend suggests that the current level of expenditure on training and improving security may not be enough, or that it's being spent on the wrong things.

It also tells us that a big part of the answer to “why cybersecurity matters” is financial. However, as we’ll explain in this article, cybersecurity matters for all kinds of reasons, from brand reputation to compliance.

Most important of all, perhaps, cybersecurity matters because it matters to your customers; your end users. And that means it should matter to all of us.

Statistics reveal that the average cost of a data breach in the United States in 2023 reached $9.48 million, while a report by Hiscox indicates that more than half of UK firms experienced a cyber attack last year. Email phishing - arguably the simplest form of social engineering - remains the hackers' favorite go-to method. 

Alarmingly, one in five firms subjected to attacks reported that the impact of those attacks was severe enough to jeopardise their business's future viability. Perhaps this shouldn’t surprise us, given that so many attacks are suffered by small businesses without the cybersecurity budget or know-how to learn from them and, indeed, without the overall financial means to survive them.

These figures represent only the direct financial losses, of course. Estimating the impact of a breach on brand reputation is significantly more challenging. But we do know that successful attacks are a major factor in negatively impacting a company's reputation, and we also know that trust is more vital than ever for the modern consumer. 

Research in risk management consistently highlights reputational risk as the 'risk of all risks', placing it above other threats to business growth. Additionally, the mass media's eagerness to report on breaches further compounds the overall cost.

The decline in customer loyalty following a breach can lead to customers leaving permanently, making the acquisition of new clients significantly more costly and stressful. 

Predicting when a company will fall victim to a cyber attack, the financial ramifications of a breach (could Equifax have realistically foreseen a $500 million payout?), or the subsequent impact on reputation is almost impossible. If a company has yet to suffer a major attack, or if the impacts of an incident were minimal, it can often be easy for leaders to attribute it to sheer luck, akin to the simple toss of a coin.

Numerous industries (but especially the financial sector) are subject to regulatory and compliance mandates concerning data security and privacy. Failure to adhere to these regulations can lead to significant fines, making investment in cybersecurity an essential step.

However, it's important to note that achieving compliance doesn’t equate to complete, holistic security. The investment required to meet compliance standards should be regarded as a baseline for minimum expenditure. There can be a tendency to see compliance as something of a box-ticking exercise rather than an opportunity to be really proactive and to set the company apart from competitors by truly embracing security.

Forecasting social engineering attacks is tricky, of course. Could a skilled hacker destroy a company's reputation through social engineering? Absolutely. The problem is that as humans we often don’t think completely rationally about probabilities - this is something that we covered in depth in our previous article about mental traps.  

It's common for us to irrationally dismiss the likelihood of adverse events affecting us or, conversely, to overestimate certain risks based on past experiences.

When it comes down to it, security fundamentally relies on an implicit social contract underpinned by trust. For instance, you deposit money into a bank and trust that the bank will keep your money (and credentials) safe. If your bank were to gain a reputation for being vulnerable to losses, you likely wouldn’t hang around for long before switching to a competitor's more secure services.

The bank knows this as well. But other factors sometimes blur their view and skew priorities. For example, there is often pressure to launch products quickly which can lead to security considerations being overlooked or at the very least not being carefully analyzed. And again, budget limitations are a reality for many companies; it's impossible for them to allocate all of their resources to security.

Justifying an investment in cybersecurity often comes down to whether you want to employ a reactive or a  proactive approach. 

A reactive cybersecurity strategy typically involves allocating resources based on past incidents - a sort of effort-spent versus incidents ratio. For example, after incurring significant losses from mobile fraud, the CISO of a neo-bank might be tempted to invest three times as much in security this year to prevent future losses. 

His justification is based on the expectation of reducing the likelihood of similar incidents occurring in the future. But his logic here is flawed, because it’s based purely on the financial implications of an attack rather than the more human, legal, or reputational impact.  

After all, it’s more difficult to predict or quantify customer dissatisfaction or legal repercussions. Dissatisfied clients might sue the company or switch to a competitor, potentially causing irreversible damage.

To avoid the onset of client dissatisfaction in the first place, it's better to invest in protection measures proactively. Your company has not yet been compromised, but you’re determined to keep it that way and seek out enhanced protection.

This proactive approach gives you a much better chance of mitigating the negative repercussions of a successful attack that we’ve already covered in the paragraphs above.

OK, so you’re convinced that you should embrace cybersecurity in a proactive manner. But what is the right level of investment?

This is really tricky and depends on a number of factors such as your industry, the type of software or application that you’re launching, and the vulnerabilities you’ve identified from running a threat model (more on this below).

Data on what other companies like you are allocating towards security can serve as a guide. For instance, in Germany in 2022, statistics showed that around 16% of companies dedicated 5-10% of their total IT budget to IT security, while 42% of those companies allocated 10-20%.

If your organization spends less on security compared to the benchmarks you determine are the right ones for your company, then you may be at a disadvantage. You could face higher risks and more severe financial repercussions in the event of a breach.

It’s also worth noting that hackers don’t stand still and so you shouldn’t either. 80 percent of companies worldwide are expecting their cybersecurity budgets to increase in 2024 for a good reason. They know that the threat landscape is constantly evolving and getting more complex; more dangerous. Simply repeating past spending patterns could result in your company falling behind in terms of security preparedness compared to its competitors.

If you have partnered with a cybersecurity company, make sure that their products are evolving accordingly and are tested regularly by third-party labs to make sure they stand up to the latest, most sophisticated attacks. If they’re standing still and acting in a complacent way, you should see this as a red flag.

As we mentioned earlier, understanding why cybersecurity matters for your particular organization is often easier once you’ve carried out a threat model. 

Threat modelling can help you to understand the kind of cyber threats that exist in your landscape and the potential that those threats have to cause serious damage. Say you’re building a healthcare application and you realise that without the ability for your application to defend itself at runtime, it’s highly vulnerable to tampering and reverse engineering. 

This discovery has the potential to not only guide you in the type of protection mechanisms you need to invest in. It also has the potential to save you time and money, not to mention maintaining your hard-earned reputation. 

We recently published a deep-dive into threat modelling where you can explore this topic in more detail.

For some reason this is often overlooked, but enhanced security measures can serve as a significant market differentiator. If you operate in a sector where data security is paramount, then being able to showcase strong security protocols can be a compelling factor in attracting and retaining customers. 

And in the coming years - with all the advancements in deep fakes and other AI-aided social engineering attacks - this competitive advantage is likely to be even more pronounced as it will matter a lot more to your prospects.

Collaborating with the marketing or PR team to analyse how competitors promote their security measures and determining the investment needed to surpass the industry average - or most competitors - is a potentially game-changing move. The marketing team would also likely appreciate having an additional unique selling proposition to elevate the product's market positioning!

Establishing a budget for security improvements with marketing value in mind could serve as a sensible starting point for minimum expenditure. 

Cybersecurity matters not only to your customers and potential customers, but to your employees, too. 

Training employees in security practices not only boosts their confidence in their roles but can also enhance productivity by reducing technology-related fears. Investing in meaningful training rather than superficial 'security theater' can help make sure that your employees are actively contributing to the organization's security posture. Don’t forget that those who you work with are the primary enforcers of any cybersecurity strategy.

The UK government recently advocated for companies to recognize that people are central to effective cyber security strategies. We took a deep dive into this topic ourselves not so long ago in our article about creating a company culture for security.

Determining how much to invest in boosting employee motivation through security training is essential. Collaborate with HR to establish a comprehensive budget for security training is advisable, and consider this allocation as the baseline for your investment in developing a security-conscious workforce.

Investing in robust security practices not only enhances protection but can also lead to financial benefits, such as reduced premiums on cyber insurance. Insurance providers often offer lower rates to organizations that demonstrate comprehensive security measures, including regular employee training and thorough system hardening.

According to the UK Government's Cyber Security Breaches Survey 2023, 63% of medium-sized businesses and 55% of large businesses have cyber attack insurance. Notably, the cost of such insurance is typically lower for entities that invest in proactive security training.

It would be prudent to assess the baseline insurance costs and compare them with the costs for enhanced security scenarios. The savings from lower insurance costs can then be considered as a benchmark for the minimum investment in cybersecurity.

Considering the ethical implications of cybersecurity underscores the fundamental question: How much do we value our customer’s safety? 

With one in three families in the UK having lost money to internet scams in 2022, and numbers broadly similar in other markets, the likelihood is high that someone we know personally has been affected by them. Enhancing the cybersecurity training of employees not only safeguards organizational assets but also equips individuals with the knowledge to protect themselves against personal cyber threats.

Quantifying ethics and moral values presents a challenge, as these are inherently subjective and rooted in individual beliefs and societal norms. In this sense, ethical investment in cybersecurity can be likened to charitable giving, based on a commitment to doing what is deemed morally right, rather than on measurable returns. That said, if all of us were more knowledgeable in cyber risks, then surely that would have a massive long-term impact on the reduction in some of the more negative implications of cyber threats covered in this article. 

The bottom line is that cybersecurity is not only a technical challenge but a human, societal one. The level of protection afforded to company assets is deeply intertwined with the motivation and ethical stance of the workforce and even the populace as a whole. 

Here at Licel we believe passionately that it's vital that those of us involved in the creation of cybersecurity products cultivate a deep sense of empathy towards end-users. This empathy stems not just from a professional obligation but from a personal connection; we, the cybersecurity professionals, engineers, product managers, and CISOs are also end users who navigate these choppy digital waters daily. 

We have firsthand experience of the unease that accompanies an unexpected pop-up on our smartphone screen or the anxiety of being locked out of an account with an accompanying notification telling us that the password has been changed when we know we haven’t changed it ourselves. 

These aren’t abstract scenarios but realities that we have personally encountered. 

Our families and friends could be forced to deal with minor inconveniences or significant emotional and financial turmoil due to cyberattacks. And really, what matters more than stopping that from happening?

In this article we’ve outlined a number of reasons why cybersecurity matters, from economic, to reputational, all the way to more human, emotional drivers.

So, try to see cybersecurity not just about meeting technical or compliance benchmarks but rather as a way of fundamentally reflecting your organization's values in the digital age. 

How much are we collectively prepared to allocate towards enhancing security and contributing to a safer digital environment for everyone?

Adopting this mindset shifts the focus from viewing security investment as a cost to seeing it as an investment. Not just in your own company’s future but in the wider world that we want to create for tomorrow.

Cybersecurity isn’t just about balancing the books; it's about shaping a digital environment where safety, trust, and respect are paramount. 

By investing in cybersecurity, we're not just protecting data; we're safeguarding our community's well-being and setting a standard for responsible digital citizenship.

And that’s something that should matter to all of us.