Is Cybersecurity Training a Good Investment?
Simply said… Yes. Yes, it is.
Our modern world is highly dependent on internet-connected technology. From medicine to energy infrastructure, both public and private organizations rely on computers doing as they are told without hindrance or delay. The scale at which technology is woven into the fabric of daily modern life is staggering. And the threat landscape is growing and evolving alongside it.
In 2017, Warren Buffett stated that cyber risk was one of the biggest threats to humanity.[i] He was right. Cyberattacks are launched hourly against targets of every size around the world. Modern cybercriminals are sophisticated, well trained, well-funded, and often state sponsored. No one is immune, and the cost of being hit with a cyberattack can be monumental. If organizations want to survive and thrive, investing in cybersecurity training isn’t just a good idea. It’s mission critical.
The enemy never sleeps
In the field of cybersecurity, conditions on the ground can change on a day-to-day basis. Threat actors’ tactics, techniques, and procedures (TTP’s) are constantly evolving. And in order to effectively combat cyberattacks, professional cyber operators must engage in continuous training to maintain their skills.
Cybersecurity training is like fluency in a foreign language. Without constant practice, the skills will fade with disuse. And while seminars and one-time training sessions are an important part of cybersecurity education, they aren’t enough. In order to be effective during a cyberattack, cybersecurity professionals have to train just as hard as their adversaries.
“Learn once” is a legacy message. Cybercriminals practice all the time, and security professionals must do the same!
Risks of neglecting cybersecurity training
A budget-minded individual might make the case that cybersecurity training can be a major investment, and the risk of damage due to cyberattacks is minimal. After all, major companies get hacked all the time, and they’re still in business, right? However, the full consequences of a data breach can be devastating. Here’s a brief overview of some of the risks involved.
Cybersecurity training costs money. But the cost of neglecting that training can be even more severe. According to the Ponemon Institute’s Cost of a Data Breach Report 2019, the global average total cost of a data breach is $3.92 million dollars.[ii] For companies in the United States, that number is even worse: the average American data breach costs $8.19 million. That’s the equivalent of losing over $22,000 every day for one year.
And the pain doesn’t stop there. A cybersecurity incident can continue to cost money for years after the initial attack. Of the companies studied by the Ponemon Institute, 67% of breach costs on average were accrued in the first year, 22% in the second year, and 11% of costs occurred more than two years after a breach.[iii]
Cybersecurity breaches don’t just hurt the company coffers. They can lead to legal repercussions as well. In the case that a lawsuit or insurance claim arises as the result of a cyberattack, an organization’s cybersecurity training – or lack thereof – will likely be questioned. If the company is found negligent, the penalties can be severe at both a federal and state level. As of 2019, 31 states had enacted cybersecurity-related legislation, covering a broad swath of industries and sectors.[iv]
Intellectual property theft
Cybercrime is big business, and intellectual property is an attractive target for criminals. A company’s intellectual property is its crown jewels. And while intellectual property breaches aren’t always as widely reported as other types of cyberattacks, they are every bit as harmful. Ramifications of intellectual property theft can include loss of property, loss of competitive advantage, loss of market share, and even risks to national security.
For some companies, recovering from an intellectual property breach has been shown to be impossible. Once their intellectual property has been stolen, it is impossible to control who accesses, trades, and benefits from it. In a rapid development market, clones of products can be made faster than ever. Not only is the money invested in R&D gone, clones at lower costs are a real theat to market share and long-term company profit. When a company is robbed by cybercriminals, their intellectual property is typically sold and cybercriminals profit.
Loss of public trust
One of the longest-lasting and most pervasive forms of damage caused by a cyberattack is the loss of public trust. Reputational damage is difficult to quantify, but impossible to ignore. And providing a year’s worth of identity theft protection coupled with a statement assuring that “we take cybersecurity seriously” doesn’t go very far with angry consumers.
Trust is difficult to build and incredibly easy to lose. In the corporate realm, that loss can lead to loss of customer relationships, increased insurance premiums, and public scrutiny and shame. In the military sphere, mission readiness and international cooperation may be irretrievably damaged. And in the political arena, a loss of public trust can lead to national instability.
Investing in cybersecurity training
No industry is bulletproof against cyberattacks, and preparedness is key to mustering an effective response. The return on investment of cybersecurity training comes in the form of stability, security, sanity and reduction of hidden costs (retention, morale, knowledge transfer). When professionals are equipped with the skills and expertise that they need to be effective in a crisis, they can succeed.
Organizations considering the value of cybersecurity training should consider the costs – both financial and intangible – of neglecting it. Warren Buffett was right: cybersecurity is serious business, and cyber threats cannot be ignored.
The good news is that it’s never too late to remedy the risk and invest in cybersecurity. The future of your organization just might depend on it.