The Hidden Value of Cybersecurity
Last year, the worldwide cost of cybercrime reached $6 trillion and shows no signs of slowing down as studies predict that the damage costs will reach $10.5 trillion by 2025. With this in mind, and with the knowledge that every 11 seconds another company falls victim to a cyber-attack, businesses should be aware of the increasing risks posed by cyber-criminality.
However, organisations continue to exhibit dissonance between their understanding of cyber-attacks as a top risk and their approach to managing it, as very few recognise the potential of the value that can be found in cyber readiness.
This is confirmed through projections which show that the growth in cybersecurity spend is slowing down, as company boards are starting to question the efficiency of the cybersecurity process in which they have so heavily invested in over recent years.
So now is the time for businesses to stop and re-evaluate how they look at their cybersecurity efforts and start to realise that cybersecurity can be a real business driver and not solely a technology issue to be solved by the CTO. As any leader who has effectively incorporated cybersecurity into their business strategy would tell you, it will give you a clear competitive edge, in the following ways.
These past 18 months have fast tracked the digitalisation of our economy and society. In fact, the World Economic Forum estimates that 70% of new value created in the economy over the next ten years will be based on digitally enabled platform business models. So, it’s safe to say, this digital transformation that we are experiencing will continue to offer ample opportunities for development and growth. But to ensure resilience, businesses must be aware that these digital opportunities also broaden cyberattack risks.
When looking at the digital value at stake, Cisco have estimated that cybersecurity will drive $5.3 trillion in value across private sector industries over the next ten yearsCisco have estimated that cybersecurity will drive $5.3 trillion in value across private sector industries over the next ten years. When broken down, one third of this ($1.7 trillion) actually refers to the protection of intellectual property and avoidance of data breach costs. But the majority ($3.6 trillion) will be dependent on the willingness of businesses to step up their cybersecurity practices to allow for innovation and growth.
Businesses with insufficient cybersecurity practices run the risk of slower adoption of digital capabilities, which can in effect mean that they fall short of their potential digital benefits and value, which highlights the importance of conducting cyber risk assessments on a regular basis.
Partnerships and Confidence in the Value Chain
While it’s undeniable that the COVID-19 disruption has pushed forward the digital transformation, it has also increased the overall risk of cyber threats. Businesses should take this as a reminder to stop and reconsider their cyber threat assessment procedure.
Having a modern and appropriately adapted cybersecurity approach adds significant value in respect to investment attractiveness during potential M&A activity. In fact, a recent ISC2 study found that a company’s approach to cybersecurity can mean the difference between going forward with a deal or partnership, as 77% of 250 respondents claimed to have previously made recommendations on whether to proceed with a deal based on the strength of the target company’s cybersecurity program.
Cybersecurity weakness is not only a threat to the likelihood of closing a deal, but also to the overall valuation of a company. You only need to think about the infamous Yahoo! databreach back in 2017, which resulted in a 350 million USD cut from the original purchase price they had agreed with Verizon Communications.
But the reality is, it’s not only the major tech companies, like Yahoo!, who are concerned by this. - Cybersecurity audits have now become a standard practice across all M&A activity. This is especially something that SMEs should consider. Given that in recent years, many SMEs have taken on new technologies to maintain their business, they often skip the step of also increasing their cybersecurity in relation to these new systems – making them a major target for cybercriminals if they fail to conduct a thorough cyber vulnerability assessment.
And with 88% of business leaders claiming that they are ‘concerned about the cybersecurity of SMEs in their ecosystem’, without a solid, reliable cybersecurity approach, SMEs risk losing their edge when it comes to striking big partnerships.
Increasing Market Access through Compliance
Aside from the competitive edge that cybersecurity brings to an organisation, EU legislation is now making certain cybersecurity requirements a condition to access the EU market. At the beginning of 2022, the European Commission adopted a Delegated Act under the Radio Equipment Directive, which introduced stricter cybersecurity and privacy rules for connected devices (including IoT). This leaves IoT providers with 2.5 years to adapt their products to comply with these strict cybersecurity, privacy, and fraud prevention requirements to keep their access to the EU market.
This comes as the latest of a series of reviews of sectorial legislation, including the upcoming Cyber Resilience Act, that policy makers and industry expect to revolutionise the EU cybersecurity framework and introduce security requirements for products, services and process in the EU.
Cybersecurity- Your Next Steps
We asked cybersecurity expert Iva Tasheva, co-founder of Brussels-based cybersecurity consulting firm CyEn, for her advice on how businesses can improve their cybersecurity practices to secure M&A deals, obtain and maintain promising partnerships and gain access to the EU market:
First and foremost, to be able to easily plan improvement and demonstrate security maturity, I recommend that you base your approach on recognised international standards. From my experience as cybersecurity consultant, there are two commonly adopted and well recognised frameworks. The NIST Framework and the ISO 27001 Framework.
The NIST framework, originally published for critical infrastructure in the US, quickly gained adopters across the globe due to its logical structure and step-by-step approach. It's important to remember that this is sequence, not only a list and therefore is important to start with identification (of processes, assets and risks) to be able to then focus on what exactly there is to protect.
In my experience, most organisations tend to start and finish at the second step, “protect”. I suspect that this is simply an attempt to show management that effort has been made or that it’s a quick fix to patch critical issues. However, this approach does not allow organisations to target their efforts where it matters most.
From these first two steps, it is important to then continue to develop and implement appropriate detection capabilities, to identify the occurrence of a cybersecurity incident in a timely manner.
But what is your approach going to be if a cyber-attack does occur? Knowing what actions to take if the worst were to happen – such as managing communications with stakeholders, law enforcement, external stakeholders - supports the ability to contain the impact of a potential cybersecurity incident.”
Even you don’t invest millions in each step, you should always envisage documenting and testing recovery procedures to restore key capabilities or services that could be impaired due to a cybersecurity incident. This allows for timely recovery to normal operations to reduce the impact from a cybersecurity incident.
To support each of these steps in the NIST Framework, many organisations adopt ISO 27001 Information Security Management Standards. This framework spells out the need to know your business and its requirements, and breaks down the activities in a continuous improvement cycle – the famous plan-do-check-act.
ISO 27001, includes a risk assessment process, organisational structure, Information classification, Access control mechanisms, physical and technical safeguards, Information security policies, procedures, monitoring and reporting guidelines.
Specific information security policies (called controls) are defined in Annex A to help organisations consider key aspects and define their own info sec policies adapted to their context and current capabilities.
But how much should you spend on cybersecurity? Who should oversee the implementation and monitor it? What is the right security program for my company?
The answers to these questions will be different depending on the size of your business and the degree of cyber maturity of your organisation. But a great first step is to assess your cybersecurity performance with an audit.
Vaultinum’s Cybersecurity Audit
It’s no secret that cybercrime is pervasive and putting in place certain security measures is not only necessary but also very valuable for a business. The best way to gain a solid understanding of your cyber readiness, is to use a cyber threat assessment tool such as the Vaultinum online assessment solution.
Like the name implies, this an online self-auditing system, made up of a series of questionnaires which evaluate the core areas of a company – including cybersecurity. It works by gauging a company’s organisation and management from a risk, compliance and good practices standpoint
It does this by reference to international standards and industry best practices and can identify a company’s strengths and weaknesses and provide real recommendations for improvements and guidance for addressing specific risks or weaknesses.
The Cybersecurity Online Assessment is divided into sections which looks at an organisation’s cybersecurity practices in terms of:
- Data Management
The specific questions and recommendations were developed with several leading authorities in cybercrime with the aim of helping prevent cyber incidents from occurring and generally creating a framework for resilience. Moreover, it is designed to answer NIST functions that we have discussed earlier in this article.
Regardless of the cybersecurity self-assessment solution you choose, it should include the following features:
- Analysis of processes as well as infrastructure
- Be based upon one of the international cybersecurity frameworks
- Delivery of a scoring with industry benchmarks to help you contextualise the results
- A summary report including short and long term fixes
It is from these recommendations that you can then start building a solid cybersecurity foundation that will both protect your organisation and drive value for your business at the same time.