The battle for business buy-in: Three ways to justify your IT security spend
Maxim Frolov, Vice President of Global Sales at Kaspersky Lab
Proving ROI in IT security has traditionally been a struggle for IT professionals, who need to balance budget limitations while constantly fighting to stay ahead of the dynamic threat landscape. However, businesses are now starting to treat IT security as an investment, rather than simply a cost-center – according to a recent Kaspersky Lab report .
**Costly cybersecurity incidents are affecting current and future business operations **
Businesses of all sizes and industries are realising that they have to prioritize cybersecurity spend. Enterprises are now spending almost a third of their IT budget (£6.9 million) on cybersecurity and budgets are expected to rise over the next three years across all segments. Both SMBs and Enterprises predict they will spend up to 15% more on cybersecurity over this period.
Why? Because the consequences of a cybersecurity incident can spread far and wide. WannaCry stopped the production lines of five Renault factories, while exPetr disrupted business operations at Maersk, the world’s largest container ship and supply company, resulting in losses of between £155 million and £250 million pounds.
Along with undermining current business operations, cyberthreats are also impacting future-focused initiatives. Digital transformation and business mobility require organizations to operate a growing IT infrastructure, meaning they often lack visibility into their hybrid clouds. Consequently, data is being put at risk of compromise or even encryption. The Zepto ransomware, which was spread via cloud storage apps, provides a prime example of this threat in action.
Moreover, the costs of dealing with the consequences of a cybersecurity threat are on the rise – due to factors such as having to hire external consultants, acquire new software, deal with PR risks and litigations, etc.
With costs rising and crucial business operations being put at risk, it’s no surprise that top management is now getting involved in the cybersecurity provisioning debate. But it’s not just their own infrastructure that they have to be thinking about2.
Even if your corporate perimeter is protected, you cannot be so sure about your suppliers.
It’s important to understand that a breach can happen even if the business’s own corporate network has the necessary level of protection — through supply chain attacks or breaches as a result of vulnerabilities in 3rd party legitimate software.
We saw the groundbreaking breach of American retailer Target, when criminals gained access to the company’s network credentials through its ventilation and air conditioning vendor. This was followed by the Equifax breach, which was hacked through a vulnerability in legitimate open source software. The hackers gained access to databases, stealing 145.5 million accounts with crucial client data such as names, social security numbers, dates of birth, addresses and even credit card numbers.
For enterprises, data protection remains a critical issue even if a threat is somewhere outside the corporate perimeter: data breaches resulting from incidents affecting suppliers businesses share data with cost them up to £900,000 million on average.
And, with data being stored in multiple locations, cybersecurity becomes a significant challenge.
Business data must be protected, wherever it is
It’s no secret that cloud services offer many benefits to businesses, from taking advantage of a more efficient mobile workforce, to reducing infrastructure costs and optimizing business operations. As such, 73% of SMBs use at least one SaaS hosted business application, while 45% of enterprises have either already raised or are planning to grow their use of hybrid cloud in the next 12 months.
However, as businesses move more and more data to the cloud, they often end up losing visibility of their data exposure. Data ‘on the go’ that is actually stored outside of the corporate data center — e.g. in 3rd party IT infrastructure — is presenting businesses with new security issues and new costs. The most expensive incidents over the past year were related to cloud environments and data protection issues. For example, for SMBs, two-thirds of the most expensive cybersecurity incidents are related to the cloud and 3rd party hosted IT infrastructure failures result in an average £140,000 loss. That’s why it is so important to consider a dedicated level of cybersecurity when moving workloads to cloud platforms.
To summarize, these three insights can help explain why cybersecurity should be prioritized across companies in any industry – it is a prevalent issue for companies of any size, because virtually every company today deals with 3rd party contractors, cloud infrastructure and a growing amount of sensitive business data. Therefore, to achieve an advanced level of cybersecurity, businesses must implement cybersecurity as one of the core functions across their IT infrastructure.
A set of appropriate cybersecurity solutions can then be deployed, enabling the adaptive and manageable protection of workloads across physical and virtual machines, containers and public cloud. It’s critical to achieve seamless administration and visibility across a hybrid cloud infrastructure.
And last but not least, businesses have to realize their responsibility for data and workloads that are stored in cloud applications and platforms. A false sense of safety and relying on providers to ensure security can be extremely costly – your data is your responsibility.