Almost every country spends a large amount of its wealth on its military. It spends billions of dollars in buying latest arms and ammunition. Yet, barring a few instances, those weapons are hardly used. To a layman, it seems like a waste of money to invest in weapons. However, what he does not understand is that it is precisely this inventory of the weapons that acts as a deterrent to war. The enemy knows that you will retaliate with your inventory of weapons if provoked and avoids an armed confrontation. Ironically, these destructive weapons, actually bring in peace and avoid destruction.
If there is a war, a bomb’s worth can be measured by the destruction it has caused on the enemy. The measure of that destruction caused by a bomb can be said to be the ROI of the bomb. But how do you measure the RoI of the weapons if they are not used at all i.e. during peace time? They are serving an important purpose of discouraging the enemy from launching an attack. They are certainly a worthy investment even in peace time, but worth how much? How many and how destructive weapons should a country have? Should every country have an arsenal of nuclear missiles to deter all possible enemies?
The situation is quite similar in the field of cybersecurity. If the security policy and systems are working fine and are effectively defending the enterprise, they are hardly ever in limelight and never get their due recognition. Because of this, many times organization cut the security budget and make themselves vulnerable. It is only after they are attacked and suffer the losses, that they realize the importance of making investments in cybersecurity. The security systems need to be fortified before they fail; not after.
The Inverse RoI of not investing in cybersecurity
Organizations are very good at measuring Return on Investment (RoI). If the investment yields profits, it has positive RoI. If the investment results in losses, it has a negative RoI. But what about an investment that the organization should have made, but didn’t and because of that, there were losses to the organization. That is Inverse RoI. The cyber world is full of viruses, trojans, malware and active hackers. If an organization doesn’t invest enough in its security, i.e., it does not implement the right security systems and invests in training its employees about secure practices; it is bound to get breached. However, such a breach cannot be termed as negative RoI, as the existing security system would have defended against many other attacks, barring the one that passed through. The organization should have fortified its cybersecurity system to defend against all the potential sources of the breach.
Investing in cybersecurity
Many organizations grapple with the question of how much should they invest in cybersecurity. The large organizations spend considerable resources in identifying and understanding the risks. They quantify the impact of the risk occurrence and invest to mitigate that risk. As a result, they develop an elaborate security policy, implement security systems and have dedicated security roles who continuously monitor the threat landscape and perform a continuous risk assessment.
However, the story with small and medium enterprises is completely different. They are not as sophisticated in their security operations as their larger counterparts. Most have firewalls and antivirus software with the capability to monitor malware. But they do not fully understand the necessity of end point protection, data loss prevention and the importance of employee training to sensitize them towards security. Many such organizations fail to convince their boards to make investments in cybersecurity. As a result, they are left vulnerable to breaches, both internal as well as external.
Effects of Inverse RoI in cybersecurity.
Effect of not investing in security is the same as the impact of a breach. The breach of data or loss of data can cause legal problems with substantial financial implications for the organization. Not to mention that the reputation that it has built through hard work is destroyed. In an extreme case, there may be more severe punishment such as imprisonment. Either way, the organization’s future business potential is affected, and it takes a very long time for it to come back to the same position.
Cyber criminals are getting well organized and have considerable resources at their disposal. Enterprises, both large and small must understand the security risks that exist in the cyber world and the impact they can have on their business. Whatever their scale of operations, they must devise the policies and solutions that keep their data safe and secure. Most importantly, they should not ignore the importance of training employees in cybersecurity. An educated employee is the most crucial element in cyber defense.