Latest news
Underinvestment in Cybersecurity
In the last few decades IT systems have become a significant factor for every industry, increasing productivity, improving service offerings and increased the speed at which companies can deliver services. It is only right therefore that we ensure that these systems are not abused, damaged, or misused in a manner which can undermine the organisation or its customers.
Whilst every industry wants to ensure that their IT systems was continuing to deliver massive benefits to them, the cost of securing such systems and ensuring they remain secure is an area in which many companies underspend as security is often viewed as a cost centre with no discernible benefit. This is because of a combination of economic, psychological and organisational reasons.
Cybersecurity is seen as a cost, not an investment. This is because there is no immediate rerun on the investment as it does not generate visible revenue, and its hard to quantify the benefit of an attack not happening. if it is working and effective, there is no loss of service.
Companies will also often underestimate the risks they are running. Too many believe there are too small or unimportant to be targeted, without the consideration that any income a threat actor can squeeze out of a business regardless of their size makes them a potential victim. This can also be attributed to lack of awareness at how damaging cyberattacks can be. Not every attack needs to result in ransomware – sometimes you can be a victim purely because of who your clients are, the data you hold, or because of who you are affiliated with. Not to mention opportunistic criminals who would seek to abuse your IT systems to mine cryptocurrencies!
On an organisation level, there can be many factors for underinvestment. This can be a result of the c-suite not really understanding technical threats or how to prioritise them in the context of the business. CISOs can struggle to make the business case for financial investment when competing with other growth-oriented spending like sales. There can be an overconfidence in existing defences – the fallacy that anti-virus and firewalls is all that is needed to keep you secure, combined with a “check-the-box” approach to compliance can give a false sense of security.
What we see time and time again is that too many organisations only invest in their security after a breach or regulatory penalty. Security has traditionally only been prioritised after a failure, and not before one.
These issues have been identified by regulators in the financial industry, and beyond. This is why schemes such as CBEST exist. Not to force companies to spend money where they would rather not, but to validate the security spends, demonstrate the impact at board level for underinvestment and enable companies to move from a reactive culture to a proactive one. These types of regulator led tests are not pass/fail events. They are about ensuring that organisations build resilience and capability, and maintain the trust they have worked hard to gain from their customers.
Prism Infosec are proud to be part of this industry – security should be a priority for every organisation and not just the regulated ones. We want to help our clients on their security journey, raising awareness, demonstrating the value of security investments, and supporting them to be trusted, secure and robust whilst achieving their goals.
If you would like to discuss how Prism Infosec can help your company, then please reach out to us:
Prism Infosec: Cyber Security Testing and Consulting Services