Investment in Cybersecurity During a Recovering Economy

This blog was originally published by TokenEx.

Written by Alex Pezold, Co-Founder and CEO at TokenEx.

Over a year of economic uncertainty driven by the pandemic has led organizations to re-evaluate their budgets. If one thing is apparent, it is that investing in cybersecurity must be a top priority.

This global pandemic has personally impacted all of us in some way, and it has absolutely impacted business. Every organization—and every person, for that matter—has had to adjust to this reality. In fact, you’re probably reading this from the comfort of your own home and checking for vaccination timelines in between reading information like this.

TokenEx has seen and grown much these past 11 months. During that time, we’ve seen the number of ransomware, fraud, and data breaches skyrocket while we all jockey for positioning around how to secure our new normal. While there is an end in sight for the pandemic, the breach pandemic rages on.

A concerted focus on preventing the risks associated with ransomware, fraud, and data breaches—and corporate appropriations to support this focus—must be an ever-present conversation in the board room. Not only for the longevity of your company, but for the customers your company serves. Do not lose sight of the strategic imperative that is cyber investment.

Investment in Cybersecurity

I’ve been in business since 2009 and worked in the cybersecurity industry since 2002, and I’ve seen companies continue to cut investment in cybersecurity initiatives the moment economic instability surfaces. The reason is because it’s hard to justify the cost of investing in initiatives that do not aid in revenue generation or are not a core competency. It’s also challenging to gauge ROI for cybersecurity investment, so it can be difficult to see the positive side of this spend when cash is tight.

That’s understandable. Holding onto cash and only spending on initiatives that increase or stabilize revenues, improve competitive advantage, or sustain core competencies seem like sound strategies. But what they don’t account for is the cybersecurity risk they introduce.

The RLC Triad: The Ever-Present Force

The above being understood, realize this: During an economic downturn, your company’s risk, liability, and compliance obligations do not change. Given data’s value as a digital resource, companies are not getting rid of it. So if sensitive data remains, so too does the risk of it being stolen or otherwise exposed.

Moreover, the liability associated with stored data does not change either. If your company is attacked, the cost of a data breach is still the same. This can devastate companies already struggling to survive, and in some instances, it can shutter them.

Lastly, regulatory bodies do not care that the economy is down, and they make it very clear that companies storing sensitive data must always maintain compliance. The cost of compliance will remain constant, and if there is no continual investment in compliance-related functions, falling out of compliance is a realistic possibility.

Making the Mistake of Skimping on Cybersecurity

As we’ve established, during periods of economic distress, companies generally restrict spending and attempt to reduce costs. This cost reduction generally occurs in three ways: reductions in workforce, reductions in functions, and reductions in technology. However, these people, processes, and technologies represent fundamental elements required to execute a successful cybersecurity strategy. Not properly assessing the risk of cutting resources in these areas will leave an organization in a deficit that will be very challenging to overcome in the cybersecurity arena.

The truth of the matter is that to prevent a breach of your environment, every single security control must function properly 100 percent of the time. Any lapse in your systems or underperforming control leaves an opening for cybercriminals to exploit, which can lead to a breach or otherwise expose sensitive data. This is not to suggest that every last dollar should be invested in cybersecurity, but those responsible for financial decisions should understand that skimping on cybersecurity investment could very well result in a data breach that will be far more costly than maintaining an appropriate cybersecurity program and ensuring the technologies therein function effectively.

Cybersecurity as a Board-Level Priority

When communicating with your board, emphasize the risk of cost avoidance in cybersecurity. Use the information above as talking points and leverage recent data breach reports in your industry. If we are not learning from others, we’re missing an opportunity. It can also help to suggest risk-reducing alternatives for cybersecurity investment.

For example, rather than chasing the newest “next-generation firewall,” advocate for technologies such as tokenization that will minimize the risk of data theft. If the data is not in your environment, it’s going to be challenging for hackers to access it in the event of a breach. More pointedly, prioritize data protection over everything else and treat your data as your most valuable resource. Hackers certainly do.

History tells us that the economy is going to fluctuate. This is inevitable. History also tells us that when we don't value cybersecurity, breaches occur—as evidenced by the continual increase in data breaches every year. Invest in cybersecurity solutions that prioritize in protecting what hackers want: your data.

No data, no theft.