« Can Insurance Harness Cross Industry Trends for Innovation? | Main | Need Of The Hour: Water Sustainability, Not Water Conservation »

August 9, 2016

How Cost-Effective is Robust Cyber Security?

Posted by Dr. Ashutosh Saxena (View Profile | View All Posts) at 8:10 AM

How Cost-Effective is Robust Cybersecurity?

I remember years ago sitting around a boardroom table during which a senior executive was asked what measures he had taken to safeguard his email account and personal information on his computer. "None," he responded. "If someone wants to peer into my very boring and uneventful life, then all the more power to them."

Everyone around the table chuckled. This event took place before the widespread use of online banking, record-keeping, e-commerce, and social media, so what constituted online privacy even five years ago was a lot different than what it is today. Lately I've been thinking about that executive's remark against the backdrop of today's online technology. We live in an age during which a teenager in an eastern European country can hack into a global bank. Or when the owner of Wikileaks decides to release emails like in the case of the Panama Papers where 11.5 million leaked documents that detail financial and client information for more than 214,488 entities went public.

I constantly wonder why large organizations are not doing more to build robust cybersecurity programs. The answer, I think, comes down to very basic economics. That is, it's cheaper to have an enormous data breach every now and then, especially if your company is insured against such breaches, than to spend resources on making it more difficult for hackers to infiltrate your company's system. If this is indeed the case, then I suspect such decisions are being made solely by CFOs and not by CMOs or CIOs. Both marketing and information technology chiefs know that data breaches go beyond just monetary costs. Breaches can be about losing the trust of your consumers.

In 2014, a combination of identity theft and online credit card hacking, cost American businesses $1.7 billion. A worldwide figure is unavailable because of the complexity in trying to calculate such an amount, but we can assume the cost is staggering. In November of 2013, one of the most prominent of these cyber-thefts occurred: The retailer giant Target was the victim of hackers who stole 40 million credit card numbers in the company's data banks. Equally as high-profile was the Home Depot breach, in which hackers stole 56 million credit and debit card numbers and 53 million email addresses.

But here's what many people do not know: At the end of the day, the massive data breach at Home Depot cost the company $28 million. That might sound like a lot to you and me, but to a massive corporation like Home Depot, the amount is equivalent to less than 0.01 percent of the Big Box retailer's sales in 2014. It helped that Home Depot's insurance policy against a data breach paid out $15 million.

Internet governance and cybersecurity expert Benjamin Dean, writing in the online publication The Conversation, has studied these high profile data breaches in depth and concludes that the actual expenses from breaches at Sony, Target, and Home Depot amount to less than one percent of each company's annual revenues. If you add reimbursement from insurance and figure in various tax deductions, the losses are even less. "This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed," writes Dean.

To that end, the American president, Obama, unveiled a new government entity called the Cyber Threat Intelligence Integration Center. Its mandate is to encourage private and public entities to share information about would-be hackers, although, according to Benjamin Dean's column, his fellow information security experts for the most part conclude that the formation of a new government agency will not reduce corporate data breaches in any significant way.

The onus falls on the private sector to be as innovative with fighting hackers as they are with developing products and solutions for their customers. To do so is not financially justifiable in the short run. But many a company that thought it could save money by battening down the hatches and riding out a storm (cyber or otherwise) have ended up going out of business. In other words, IT and marketing executives need to make the case to other company leaders that spending money on cybersecurity is a long-term investment that will pay off down the line.

Some companies are already making long overdue changes. American banks are finally issuing credit and debit cards with embedded chips, a security feature of cards that banks outside America have been investing in for years. The problem, of course, is that retailers in America are moving very slowly to invest in credit card machinery that can read the new cards - they still rely on technology that requires a swipe of the card's magnetic strip. The reason? The research firm Javelin Strategy and Research estimates the new cards and card readers to cost a combined $6.8 billion.

Still, your customers are digitally savvy and are watching your willingness to invest in such anti-hacking technology. Those enterprises that refuse to make the necessary investments risk losing money not only to hackers but to customers who decide to shop elsewhere.


Very well said. Nice Informative article of Cyber Security.

This is Dr. Priti Puri from ETA Security track.I am also in security field and I can relate very well with this article. It will be great if I can join for cyber security awareness initiatives for our employees or if I can contribute to any research project on security as I completed my doctorate in Cyber Security.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Search InfyTalk

+1 and Like InfyTalk

Subscribe to InfyTalk feed

InfyTalk VBlogs: Watch Now

Infosys on Twitter