Investing in Cybersecurity

October 2019

While boards may be fatigued by years of cybersecurity and data privacy alarm, the reality is that risks are only growing in complexity while scrutiny from regulators continues to heat up. The costs of cybersecurity failures, too, remain significant. According to Juniper Research, cybercrimes have already accounted for $2 trillion in losses in 2019.
Not only must companies protect their most valuable assets—like their customer data, intellectual property and trade secrets—but they must also consider how bad actors could disrupt their operations or supply chains and cause financial and reputational harm.
Over the past several years, security has rightfully become a bigger line item for expenditure. A vast majority of directors (83%) say their company has increased cybersecurity investment in the past year. Micro/nano cap companies are the most likely (30%) to report no investment in cybersecurity in the past year, compared to 15% of small cap and just 6% of large/mid cap companies. On average, companies are raising cybersecurity spending by 9% annually, according to Juniper.

Chart of companies investing more in cybersecurity

But investment is only part of the solution. It’s critical that management and the board be well-versed in their company’s digital risk profile, mitigation and response efforts. Only 24% of board directors say that they are highly familiar with their company’s data breach response plan, and 39% say they are only somewhat or not at all familiar with it.

Chart of organizations familiarity of their data breach response plan

Having awareness of the cyber response plan must be considered table stakes, as almost a quarter of board directors (23%) surveyed said that their own company experienced a cybersecurity breach in the past two years. In 2018 alone, there were 1,244 reported data breaches in the U.S., according to cybersecurity firm Varonis. The clock is ticking for companies who claim that they have not had or are not yet aware of a cyber breach affecting them. Companies who think they are not at risk are likely wrong.
Developing a threat-based cybersecurity strategy—including risk assessment, viable response planning and active and on-going monitoring—must be a multi-departmental effort, with strong input and oversight from the board.

Chart of organizations experiencing cybersecurity breaches during the past two years