Bosses are reluctant to spend money on cybersecurity. Then they get hacked

Preventing a cyberattack is more cost effective than reacting to one - but many boardrooms still aren't willing to free up budget.
Written by Danny Palmer, Senior Writer

Many businesses still aren't willing to spend money on cybersecurity because they view it as an additional cost – and then find they have to spend much more cash recovering from a cyber incident after they get hacked.

Cyberattacks like ransomware, business email compromise (BEC) scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents and their expensive fallout, many boardrooms are still reluctant to free up budget to invest in the cybersecurity measures necessary to avoid becoming the next victim.

The cost of falling victim to a major cyber incident like a ransomware attack can be many times more than the cost of investing in the people and procedures that can stop incidents in the first place – something many organisations only fully realise after it's too late.

SEE: A winning strategy for cybersecurity (ZDNet special report) 

"Organisations don't like spending money on preventative stuff. They don't want to overspend, so a lot of organisations will sort of be penny-wise and pound-foolish kind of places where they wait for the event to happen, and then they have the big expense of cleaning it up," Chris Wysopal, co-founder and CTO of cybersecurity company Veracode, told ZDNet Security Update.

It's then that they realise that they could have spent less if they had prevented the attack, he said: "A lot of organisations are going through that right now".

For example, an organisation might end up paying millions of dollars to ransomware criminals for the decryption key for an encrypted network – then there's the additional costs associated with investigating, remediating and restoring the IT infrastructure of the whole business after the incident.

"Just the ransoms that organisations are paying, if they don't have cyber insurance, could certainly pay for a lot of cybersecurity professionals. And cyber-insurance rates are going up, so it's getting more expensive across the board for organisations because of the threat," said Wysopal.

Even for organisations that do have a fully fledged cybersecurity strategy, training, hiring and retaining staff can still pose a challenge because of the high demand for employees with the required skills.

The supply and demand issue isn't going to be solved overnight and, while Wysopal believes long-term investment in cybersecurity is vital, there are additional measures that can be taken to help get more people with cybersecurity skills into the workforce to help protect organisations from attacks.

"One thing I would like to see is cybersecurity become part of every IT or computer science students' training, so that they they had some understanding of cybersecurity as a professional, whether it's building and managing systems in an IT environment or building software," he explained.

SEE: This new ransomware encrypts your data and makes some nasty threats, too

If IT or development staff have at least some understanding of cybersecurity, that can help organisations, particularly smaller ones that might not have a big budget.

"I'm really pushing for that to be part of the curriculum and I've been working with a few colleges to make that part of the computer science curriculum," Wysopal said.


Editorial standards