Assuming that the audience reading this article mostly consists of technologists, imagine for a moment that you’re not technical. Sending information from your desk to another desk, continents away and at the literal speed of light, is now as normal as breathing – but asked if you know how breathing works, you couldn’t possibly explain.
The typical CEO or CFO is not a technologist and cannot be faulted for looking at the cybersecurity problem as a financial problem. For example, if the CEO has budgeted $10M for cybersecurity this year, but the CISO tells him/her the company has a $12M need, then the CEO has a choice.
Since a CISO cannot guarantee that the additional $2M will prevent a devastating breach, a non-technical CEO might see cyber in the same vein as the weather. It’s not predictable so why invest the additional budget?
That’s where they might default to a more traditional business decision, such as purchasing cyber insurance.
According to a UN report, for every dollar spent on cyber threat prevention, seven dollars will be saved from economic losses associated with restoration and recovery. So, if an organization spends $25,000 on cybersecurity, the organization is really guarding against attack clean-up costs as much as $175,000. That’s a good ROI.
However, buyer beware. Insurance is not a preventative measure, but rather a fail-safe. It cannot compare to the cyber breach prevention that a CISO would attempt to implement.
The safeguards that a CISO builds into a network will ostensibly include backups of data assets. In the event of a ransomware attack, assets can be recovered, and an organization can circumvent hackers’ furious demands for payment. Forking over ransom payments is dangerous on numerous accounts, and it encourages hackers to continue with their fraudulent schemes.
As we’re beginning to see, some cyber insurance companies view paying the ransoms as cost-friendly alternatives to remediation, a practice that is condoned by most groups, including Europol and the FBI.
When business leaders surround themselves with expert technologists, they can ensure proper cybersecurity and make sure all business decisions and outcomes are made with the highest levels of integrity.
For more information on cyber insurance and recent ransomware payments, see Ars Technica.