ESI ThoughtLab released new data on corporate cybersecurity this week, with a conclusion that may not be new, but is no less alarming: Cyber risks are huge, and growing worse, for businesses.
In the report, as a part of ESI ThoughtLab's The Cybersecurity Imperative research program, analysts found corporate executives are preparing for significant spikes in cyber risks, with particularly large exposures stemming from their business partners, vendors and supply chains. Yet, the largest threat to the enterprise today remains within an organization's four walls — untrained staff, exposing their firms to costly and damaging cyberattacks at the click of a suspicious email link.
Amid these threats, ESI ThoughtLab concluded that businesses will see heightened exposure as a result of their ongoing digital transformations, increased technological adoption and expansion of supply chains. It all begs the question: Will companies ever get to a point where they are a step ahead of the cyberattackers?
According to ESI ThoughtLab Chief Executive Lou Celi, organizations won't be able to get ahead until they truly understand the cyberthreats they're facing, and the return on investment (ROI) of cybersecurity investments.
In a recent conversation with PYMNTS, Celi put it in terms of "economic equilibrium."
"When the good guys' incentives are much higher than the bad guys', they just don't bother anymore," he explained. "[Companies] have to do a better job of understanding the economics of cybersecurity. It's the equilibrium incentive: companies don't fully understand the ROI of cybersecurity."
One of the largest challenges is that companies tend to only focus on direct costs of a cyberattack or data breach, typically in the form of a government-issued fine. They're paying less attention to indirect costs like a hurt reputation, lost trust with customers, system downtime, suppressed productivity and more.
Companies are also failing to understand ROI in terms of the upsides of enhanced cybersecurity investments, Celi said. It could mean customer retention when a company performs a quick response recovery or customer attraction when cybersecurity reputations are strong.
According to ESI ThoughtLab, there is evidence that, while companies are certainly investing in cybersecurity, without proper ROI analysis, their investments may be a bit misaligned or misplaced. Take, for example, investment in risk prevention. The largest chunk of cybersecurity investments (26.5 percent) is going to protection, rather than response and recovery initiatives. The latter two, Celi explained, contribute to a company's resiliency, to react quickly and efficiently when a breach does occur.
"You have to put more effort into not just predicting a risk — you can't predict a Black Swan event, but you have to have resilience built in," he said.
It's part of the broader understanding that, while companies may throw money at preventing a cyberattack, such an event is next to inevitable. In a conversation with Kevin Mitnick, a notorious U.S. hacker, Celi said Mitnick simplified the current cybersecurity situation.
"Lou, there's always a way in," Mitnick told Celi.
The point he was trying to make, Celi elaborated, is that businesses must invest in their agility to respond after they've been breached, and not only in their ability to prevent the breach in the first place.
In another example of misaligned cybersecurity investments, ESI ThoughtLab's report found nearly 90 percent of professionals cite untrained staff as their biggest cybersecurity risk, yet only 17 percent of companies said they have made significant progress in their staff cybersecurity initiatives.
Businesses striving ahead in their digitization efforts also show evidence of misaligned cybersecurity investments. Celi noted that innovators promoting this technological transformation often consider cybersecurity of their tools as an afterthought, and that can be a critical mistake.
"As you apply these technologies, you have to be doing due diligence to make sure you're not exposing yourself to risk," he said. "Cybersecurity needs to be something thought about at the beginning of the innovation process."
It's part of what he described as a "digital paradox." While companies must move quickly to innovate and embrace disruptive technologies, they must take the time to safeguard that digital future. Part of doing so is to not only invest in experts to fill chairs in a company's designated cybersecurity department, but to have cybersecurity become a part of the enterprise as a whole, as well as its supply chain of vendors and partners.
Indeed, adequate ROI analysis of cybersecurity initiatives is no easy task, made even more difficult by constantly changing tactics by cyberattackers. Investing more in employee training may help to a point, but when cyberthieves change their tactics, how frequently should staff be trained? Businesses may begin to understand the indirect costs of a cyberattack, but how do they put a dollar amount on a damaged reputation?
Organizations and government entities are increasingly turning their attention to these difficult questions, as understanding ROI on cybersecurity could eventually give businesses the upper hand in the seemingly never-ending cyber wars.
"If that happens," Celi said, "then maybe there will be the incentive for [the] good guys to do better than the bad guys."