There are many FDs and CFOs who, even more the economic challenges of the current pandemic and looming global recession, thought that budgeting for cyber security expenditure was essentially discretionary and could be postponed or cancelled in line with P&L and cash flow management requirements.
This approach is neither sensible nor pragmatic. On the contrary, it goes so far beyond negligence as to be foolhardy.
The reality of today’s world is that a career in cyber crime is more lucrative – as well as more meritocratic and less discriminatory – than most traditional careers. The tools you need for success can be inexpensively purchased or rented on the dark web. Corporate targets are incredibly soft and vulnerable. The risk of being caught is less than 1%.
The ‘cyber security is a discretionary item’ strategy is this: ‘As far as I know, we haven’t yet been successfully attacked. Maybe we never will be. Let’s wait and see.”
Most attacks are only discovered six months or more after initiation, and usually be an outsider. The discovery of an attack is followed, rapidly, by a shift to panic mode and urgent spending – typically at emergency prices – on consultants and experts to try and resolve the problem. It may require payment of a ransom. It will require a report to the GDPR Supervisory Authority. It will lead to an investigation and, several years later, a fine. It will depress revenue, knock profits, affect reputation and drive down the share price. And at the end of that, you will still have to spend whatever it takes to secure the organization against cyber attack. This is a strategy that could cost ten times more than simply taking action to deal with the threat, today, before it’s too late.
And then all you need to do is stay on top of the evolving threat environment, continually re-securing your environment against enterprising and fast-moving cyber attackers.