If you ever look at the dizzying array of security technologies and the price tags associated with them, or at the average cost of acquiring and retaining a lesser-spotted information security professional, it can leave everyone, both inside and outside of the security industry, with the impression that achieving effective cybersecurity is mightily expensive.
If cybersecurity is generally very expensive, are there reasonable measures that can be taken using just a small amount of research, some common sense and a much smaller budget?
The Average Cost of Cybersecurity
One problem with working out the average cost of getting appropriate security in place is the number of differing statistics on the topic. Global spend on information security is estimated anywhere between 0.5 to 1.5% of global GDP (all revenue generated across the planet in 2018).
Within that overall estimate, there are of course vast differences in how each person and organization approaches security. Some spend nothing, some spend very little and a few organizations spend quite a bit.
One of the issues is that due to the way the effective cyber-attacks work; it is usually in the interest of the cyber-criminal or other interloper to keep his or her presence unnoticed for as long as possible, using a technique referred to as the Advanced Persistent Threat (APT).
Remaining undetected is what cyber experts refer to as dwell time – and you will notice that many of the targets of the largest mega breaches end up admitting that the theft occurred many years before it was finally identified and disclosed to those who were impacted.
The fact that so many large organizations continue to be caught out by cyber-attacks can leave the average person thinking there is no chance to secure his or her own information. However, the challenge for each digital environment is really that the larger it is, the harder it is to ensure that all of the right security measures are consistently implemented.
After all, a good hacker only needs to find one way through. My own experience of delivering cybersecurity extends to many different environments:
- Home
- Small business
- Global multi-national security programs
The Cost of Home Cybersecurity
There are plenty of FREE resources that can help the average person secure his or her own environment – but the real cost here is the time required to ensure that each technology is researched and configured as securely as it can be.
There are also financial requirements, because to get to a reasonable level of home cybersecurity still requires people to do other things, such as have a safe back-up service they can store their important data to, install some effective security software (which usually has a cost) and replace (or disconnect) any devices where the security support has expired.
My experience of home users is that most environments have almost no security – and the only reason that they continue to function is either because the person has the good fortune not to have been targeted (yet), or that their home environment is crawling with viruses, but the attackers are happy to just continue to extract value from the victims.
The Cost of Small Business Cybersecurity
It would be tempting to think that small business cybersecurity should be cheaper than it is for large businesses – but my experience is that this is not the case.
To get security right for a small business costs considerably more of a percentage of the operational budget than it does for a large business. Why? Because small businesses do not get the economies of scale that larger businesses can. For example, it not only costs small businesses more money per device to buy security software, but they also still need to implement the same critical and major security controls, and can only spread that cost across a much smaller revenue base.
Whereas a large organization might look at spending 1-2% of the operational budget on security, any small business looking to get security up to a reasonable standard could be looking at a figure closer to 4% or more (based on personal experience of reviewing such environments).
The Cost of Large Organization Cybersecurity
Depending on the particular activities and risk appetite of each organization, they may spend anywhere from a fraction of a percent to a couple of percent on implementing and sustaining security.
But, the cybersecurity challenge for large organizations is not one of pure financial cost. To make security effective, they have to embed security principles within the heart of everything they do. Sometimes this is referred to as achieving security by design and increasingly people may also refer to this as DevSecOps. Whichever description is used, the fundamental remains that security has to be included from the outset and sustained throughout the lifecycle of each technology that is used – right up to and including retirement.
For me, the CMMI Institute’s Capability Maturity Model Integration is a process model that, when applied correctly, can really help small and large organizations to understand where they are on their own journey to achieving effective cybersecurity. It is a scale that can be used to measure just how mature (or not) each major and critical process is. When I have measured organizations using the CMMI scale, it is usually very easy to see exactly where the security engineering gaps that present the highest risks are.
Can Cybersecurity be Inexpensive?
In short, it depends. The more technology you want to use, the more time and effort is required to ensure appropriate security is put in place. One thing to note, though, is that the earlier on that security is considered, the cheaper it is to implement and sustain – just ask anyone who has suffered the cost of trying to recover from a significant cyber-attack.
However, basic cybersecurity measures are usually enough to keep most threats at bay in home and small business environments, especially if important information is regularly backed up to a safe location just in case.
Basic cybersecurity does not have to be expensive from a financial perspective – but it certainly does require taking the time to carefully consider each new technology, research and implement the right security settings and to keep different technologies as protected from each other as possible.
As one friend recently asked me; “What harm can placing one cheap smart bulb in my home do? I don’t really care if a hacker switches on and off one bulb.” But, of course, that one device could be just the entry point a hacker needs into everything in that home network, especially if it has known security flaws – security problems that can probably be identified and prevented through a very simple Internet search.