Can you still Afford “not to afford” Cyber Security?

COVID-19 changes the game: Now is not the time to risk a cyber-attack.

Earlier ransomware incidents that have affected  organisations such as Travelex in the UK or Bouygues in France profoundly question the way cyber security has been managed – historically – in many large firms. And they add their names to an ever growing “hall of shame” which already includes British Airways, Marriott, Equifax and – sadly – countless others.

Large firms with multi-million IT and security budgets should not end up in that mess. Period.

Calling in one of the Big 4 firms to “sort things out” afterwards will not cut it anymore. At the heart of the matter, is not just the need to “do things” (protective and layered “defence-in-depth” measures are well known and have been for decades) but the governance surrounding execution in those firms, the way the prioritisation of security investment was handled over the years, and the cultural and managerial aspects surrounding those.

“We can’t afford this” is an excuse we have been hearing too often with senior executives around security over the years. Many CISOs take it as budgetary constraints. It is simply adverse prioritisation. And if security is not visibly towards the top of the agenda with management, you cannot expect good execution to follow regardless of the investments you make.

One trait many of the firms affected recently by cyber security incidents had in common (pre COVID-19), was their relatively good economic health. Those were not failing businesses chronically losing money or drastically challenged by digital disruption, as could have been the case for example in the retail sector. They were healthy and established market players churning up healthy profits.

How did they use to assess the threats they face? How did they manage their levels of exposure or protection against those? How did they determine the investments necessary to ensure adequate protection?

Clearly, not very well…

One thing is certain: They were not really short of cash – at the time. It may be a simplistic view from a CFO perspective, but the reality is that – post breach – money invariably used to appear out of nowhere to get things “fixed”.

That’s the most pathetic part of all those incidents: Shameless executives, who previously would have argued that they “could not afford” security measures, handing out millions in search of non-existent quick-wins or technical silver-bullets. And shameless tech vendors and security “consultants” lining up, without for a second daring to tell their clients what they need to hear: Buying more tech won’t help you, until you address the cultural and governance attitudes which have led you in that mess in the first place: Endemic short-termism, cognitive biases, or frankly in some cases, threat ignorance and lip service to compliance requirements.

Of course, once the entire business has been down for several days, priorities are put into perspective and mindsets change, but for how long?

Across the street, various competitors or suppliers would have been rattled and may also start thinking differently, but again, for how long?

Once the dust has settled, losses are just losses; they may not please the shareholders, but in a context where many things could go wrong for large firms, do they really matter if the health of the business is strong? For St Gobain, Maersk and others – badly hit by the 2017 NotPetya outbreak – lost sales associated with the cyber-attack were estimated in the hundreds of millions and direct costs related to crisis in the tens of millions. Unpleasant, not invisible but manageable – in good times – on an otherwise healthy multi-billion balance sheet.

Frankly, those days have gone. The COVID-19 crisis changes the landscape totally around cyber-attacks, and that type of cynical approach now borders on plain negligence.

Which business can now afford “not-to-afford” good cyber security measures, in a context where most remaining activity has shifted online, and we are all dependent on digital services?

Security has become essential to keeping the lights on, and nobody can risk a cyber attack in the middle of all this. At the same time, cash has become precious and the business outlook is unclear.

But prioritising against security spending seems unreasonable, even in the face of massive cost reductions, and in particular in organisations where current cyber maturity levels are low.

Now is the time to look at those maturity problems in the face and to focus the scarce resources available where they will have most impact. But cutting security spending to the ground in the midst of the COVID-19 crisis would be disastrous.