deepagopi2011 - Fotolia
It is a source of amazement (and appalled admiration) to me just how quickly companies are to flood my in-box with quotes and comments from spokespeople and experts in the wake of the latest high profile IT security breach.
While their motives may be well-meaning in terms of highlighting how companies and organisations can ensure they do not fall victim to similar data breaches and generating awareness of the issues involved, it’s hard not to escape the feeling that there’s also a healthy bit of fear and anxiety being stoked in the hope of generating future business.
Stories concerning IT security breaches are matched only by those publicising reports estimating the frequently terrifying cost to the businesses affected.
Set against this backdrop, the RAND Corporation has produced a study entitled Examining the costs and causes of cyber incidents, published in the Journal of Cybersecurity, which suggests the cost of security breaches has been wildly over-estimated.
The report examined more than 12,000 cyber incidents recorded from 2004 to 2015 and found “that they cost most firms less than $200k, only a fraction of the millions of dollars commonly cited” and a figure equivalent to the average company’s annual IT security budget. “We also estimate that they represent only 0.4% of firm revenues,” the report continued, “far less than other losses due to fraud, theft, corruption or bad debt”.
In a press release accompanying the publication of the report, policy researcher Sasha Romanosky said the “hacks, attacks and careless behaviours represent a small fraction of the costs that firms face and, therefore, only a small portion of the cost of doing business”.
The report suggests that with the cost of security breaches more or less matching the amount most companies spent on their annual IT security budget, companies could be “engaging in a privately optimal level of security – that they are properly and efficiently managing cyber risks as they do with other forms of corporate risk. And that for most firms, because their expected losses are relatively low, they subsequently are investing in only a modest amount of data protection”.
Could it be possible that, despite the screaming headlines and alarmist comments, companies are, for the most part, actually doing a good job of investing in the right amount of IT security for their business? You have to admit it’s an intriguing conclusion because it suggests that most businesses have an inbuilt sense of equilibrium when it comes to assessing the potential risks they face.
According to the report, the balance between the cost of security breaches and the amount companies invest in IT security could mean that “an executive who is sceptical of security investments may believe that unless a firm incurs a breach every year, it is wasting its IT security investment every year it does not suffer a breach”. Or it could suggest that “a firm can expect to lose the equivalent of its IT security budget each time it suffers a data breach or security incident”.
Either way, it also appears to demonstrate that companies are, for the most part, spending the right amount on IT security for their circumstances. That’s not a message you’re likely to see clogging up your in-box or blaring from the headlines.