Is Cybersecurity Undervalued?
Cybersecurity seems to be one of those problems that companies just throw money at. It’s an established cost of doing business in the digital age, yet nobody seems to know how much “adequate” cybersecurity should really cost.
The main reason is that cybersecurity has so many wildcards. Who would have predicted that cybersecurity at Ashley Madison would have consequences far beyond the site’s customers? Or that the Chinese could steal the sensitive security clearance information of Federal employees? Unlike health or fire insurance, there are few data-driven tools like actuarial tables or correlative data to inform decision-making about cybersecurity. As a consequence, executives and I.T. managers tend to buy solutions without a solid understanding of the costs and benefits.
The easiest way to measure the value of cybersecurity is to quantify the losses involved, and then extrapolate the potential risk of incurring those losses. Yet as recent cybersecurity incidents have demonstrated, the valuation of those losses may be too small.
Take last summer’s hack at JP Morgan Chase as an example of an attack that has fully played out. When hackers stole the personal information of over 76 million people, there was a measurable, up-front cost associated with cleaning up the mess. JP Morgan Chase set up an internal working group involving hundreds of employees to change its I.T. systems and deal with the public fallout through a special website. JP Morgan Chase stock dipped as the company admitted that it was slow to react.
But that’s just the direct impact to JP Morgan Chase itself. The hack also compromised the data of over seven million affiliate and partner companies, expanding the cost and long-term fallout significantly. JP Morgan Chase’s reputation took a big hit in the incident – one that won’t be easily recovered with either its direct customers or its business clients. The information stolen from JP Morgan Chase is still being used in scams to this day, and the Securities and Exchange Commission is also looking at new regulations, citing the hack as a main reason. All of these represent costs which are harder to measure, particularly over the long term.
This brings us back to the cost of cybersecurity. If cybersecurity investment was driven by data alone, JP Morgan Chase’s direct monetary loss would indicate the degree of risk it took in its approach to I.T. infrastructure. The insurance model would make sense. Yet the quantitative data cannot fully account for intangibles like leadership turnover and damage to a company’s brand. When those are added to the picture, the relative cost of cybersecurity seems smaller in comparison to the inordinate impact of a breach.
As long as the value of cybersecurity remains difficult to measure, it will also be difficult to sensibly invest in adequate protection. Some companies will probably overpay, but many more will continue to take risks that are disproportionate to the intangible costs associated with cyber attacks.
As any JP Morgan Chase executive will probably tell you, it is important to assess cybersecurity needs in context. Weighing the value of cybersecurity tools against the potential damage of an attack has to take into account the full measure of potential damage. Just as there’s no silver bullet for cybersecurity, there’s no telling what the dividends of adequate protection might be.