The Hidden Value of Cybersecurity
In spite of cyber threats continuing to grow, recent studies have shown that companies are starting to slow down their spend when it comes to cybersecurity. However, is this a mistake considering the extra business value that comes from having conducted a solid cybersecurity risk assessment?
Last year, the worldwide cost of cybercrime reached $6 trillion and shows no signs of slowing down as studies predict that the damage costs will reach $10.5 trillion by 2025. With this in mind, and with the knowledge that every 11 seconds another company falls victim to a cyber-attack, businesses should be aware of the increasing risks posed by cyber-criminality.
However, organisations continue to exhibit dissonance between their understanding of cyber-attacks as a top risk and their approach to managing it, as very few recognise the potential of the value that can be found in cyber readiness.
This is confirmed through projections which show that the growth in cybersecurity spend is slowing down, as company boards are starting to question the efficiency of the cybersecurity process in which they have so heavily invested in over recent years. (source : 2020-06-17 Gartner)
So now is the time for businesses to stop and re-evaluate how they look at their cybersecurity efforts and start to realise that cybersecurity can be a real business driver and not solely a technology issue to be solved by the CTO. As any leader who has effectively incorporated cybersecurity into their business strategy would tell you, it will give you a clear competitive edge, in the following ways.
Value Creation
These past 18 months have fast tracked the digitalisation of our economy and society. In fact, the World Economic Forum estimates that 70% of new value created in the economy over the next ten years will be based on digitally enabled platform business models. So, it’s safe to say, this digital transformation that we are experiencing will continue to offer ample opportunities for development and growth. But to ensure resilience, businesses must be aware that these digital opportunities also broaden cyberattack risks.
When looking at the digital value at stake, Cisco have estimated that cybersecurity will drive $5.3 trillion in value across private sector industries over the next ten years. When broken down, one third of this ($1.7 trillion) actually refers to the protection of intellectual property and avoidance of data breach costs. But the majority ($3.6 trillion) will be dependent on the willingness of businesses to step up their cybersecurity practices to allow for innovation and growth.
Businesses with insufficient cybersecurity practices run the risk of slower adoption of digital capabilities, which can in effect mean that they fall short of their potential digital benefits and value, which highlights the importance of conducting cyber risk assessments on a regular basis.
Partnerships and Confidence in the Value Chain
While it’s undeniable that the COVID-19 disruption has pushed forward the digital transformation, it has also increased the overall risk of cyber threats. Businesses should take this as a reminder to stop and reconsider their cyber threat assessment procedure.
Having a modern and appropriately adapted cybersecurity approach adds significant value in respect to investment attractiveness during potential M&A activity. In fact, a recent ISC2 study found that a company’s approach to cybersecurity can mean the difference between going forward with a deal or partnership, as 77% of 250 respondents claimed to have previously made recommendations on whether to proceed with a deal based on the strength of the target company’s cybersecurity program.
Cybersecurity weakness is not only a threat to the likelihood of closing a deal, but also to the overall valuation of a company. You only need to think about the infamous Yahoo! databreach back in 2017, which resulted in a 350 million USD cut from the original purchase price they had agreed with Verizon Communications.
But the reality is, it’s not only the major tech companies, like Yahoo!, who are concerned by this. Cybersecurity audits have now become a standard practice across all M&A activity. This is especially something that SMEs should consider. Given that in recent years, many SMEs have taken on new technologies to maintain their business, they often skip the step of also increasing their cybersecurity in relation to these new systems – making them a major target for cybercriminals if they fail to conduct a thorough cyber vulnerability assessment.
And with 88% of business leaders claiming that they are ‘concerned about the cybersecurity of SMEs in their ecosystem’, without a solid, reliable cybersecurity approach, SMEs risk losing their edge when it comes to striking big partnerships.
Increasing Market Access through Compliance
Aside from the competitive edge that cybersecurity brings to an organisation, EU legislation is now making certain cybersecurity requirements a condition to access the EU market. At the beginning of 2022, the European Commission adopted a Delegated Act under the Radio Equipment Directive, which introduced stricter cybersecurity and privacy rules for connected devices (including IoT). This leaves IoT providers with 2.5 years to adapt their products to comply with these strict cybersecurity, privacy, and fraud prevention requirements to keep their access to the EU market.
This comes as the latest of a series of reviews of sectorial legislation, including the upcoming Cyber Resilience Act, that policy makers and industry expect to revolutionise the EU cybersecurity framework and introduce security requirements for products, services and process in the EU.
Cybersecurity- Your Next Steps
We asked cybersecurity expert Iva Tasheva, co-founder of Brussels-based cybersecurity consulting firm CyEn, for her advice on how businesses can improve their cybersecurity practices to secure M&A deals, obtain and maintain promising partnerships and gain access to the EU market:
First and foremost, to be able to easily plan improvement and demonstrate security maturity, I recommend that you base your approach on recognised international standards. From my experience as cybersecurity consultant, there are two commonly adopted and well recognised frameworks. The NIST Framework and the ISO 27001 Framework.
The NIST framework, originally published for critical infrastructure in the US, quickly gained adopters across the globe due to its logical structure and step-by-step approach. It's important to remember that this is sequence, not only a list and therefore is important to start with identification (of processes, assets and risks) to be able to then focus on what exactly there is to protect.
In my experience, most organisations tend to start and finish at the second step, “protect”. I suspect that this is simply an attempt to show management that effort has been made or that it’s a quick fix to patch critical issues. However, this approach does not allow organisations to target their efforts where it matters most.
From these first two steps, it is important to then continue to develop and implement appropriate detection capabilities, to identify the occurrence of a cybersecurity incident in a timely manner.
But what is your approach going to be if a cyber-attack does occur? Knowing what actions to take if the worst were to happen – such as managing communications with stakeholders, law enforcement, external stakeholders - supports the ability to contain the impact of a potential cybersecurity incident.”
Even you don’t invest millions in each step, you should always envisage documenting and testing recovery procedures to restore key capabilities or services that could be impaired due to a cybersecurity incident. This allows for timely recovery to normal operations to reduce the impact from a cybersecurity incident.
To support each of these steps in the NIST Framework, many organisations adopt ISO 27001 Information Security Management Standards. This framework spells out the need to know your business and its requirements, and breaks down the activities in a continuous improvement cycle – the famous plan-do-check-act.
ISO 27001, includes a risk assessment process, organisational structure, Information classification, Access control mechanisms, physical and technical safeguards, Information security policies, procedures, monitoring and reporting guidelines.
Specific information security policies (called controls) are defined in Annex A to help organisations consider key aspects and define their own info sec policies adapted to their context and current capabilities.
But how much should you spend on cybersecurity? Who should oversee the implementation and monitor it? What is the right security program for my company?
The answers to these questions will be different depending on the size of your business and the degree of cyber maturity of your organisation. But a great first step is to assess your cybersecurity performance with a cybersecurity audit.
Vaultinum’s Cybersecurity Audit
It’s no secret that cybercrime is pervasive and putting in place certain security measures is not only necessary but also very valuable for a business. The best way to gain a solid understanding of your cyber readiness, is to use a cyber threat assessment tool such as the Vaultinum's cybersecurity audit solution.
Vautinum’s cybersecurity audit is accessible on one easy-to-use online platform that provides clients a unique combination of self-assessment, source code scan and pen test to allow for the most in-depth cybersecurity audit.
The base cybersecurity audit includes a self-assessment questionnaire which evaluates cybersecurity readiness and organisational resilience in terms of network security against industry benchmarks, giving the client a report with a scorecard and recommendations for improvements. Developed in alignment with international standards and best practices by a team of experts in cybersecurity risk management, the cybersecurity self-assessment delivers accurate scoring and relevant, up-to-date recommendations.
Clients can then choose to run a full cybersecurity audit by adding an in-depth source code scan and pen test which unveils the full insight on existing security vulnerabilities in the source code, such as weak encryption algorithm, password leak risks, giving a full cybersecurity due diligence service.
To ensure top-level security, the uploaded source code is immediately encrypted using SHA256 encryption and is immediately erased from the system once the scan is finished- giving our clients full peace of mind.
The results of both the self-assessment and source code scan are then reviewed by our cybersecurity audit experts, who identify areas of improvement and deliver evaluations and recommendations aimed at optimising the processes and operations of a company.
Recommended for you