Security Is Expensive: The Concern of Small-Scale IT Providers
Small-scale IT providers are a bit hesitant to be thorough on cybersecurity implementations due to cost. This blog provides a brief insight on what might happen consequently.
“Always make sure that your system is secure!” That ‘dreadful’ message plays on repeat for software developers and network infrastructure designers. I get it; it is a bore and a chore to get it done. Moreover, it is relatively expensive to get it done, especially when hiring a security consultant. But I can tell you what is even more costly: trying to repair the damage inflicted by successful attacks. Let’s look at some figures. IBM reports as of 2020 that for companies, the average cost of a breach is $3.86 million. With regard to ransomware attacks, the average cost on businesses is at least $100,000, with its corresponding average downtime of 19 days. As for phishing attacks, at least $10,000 is lost every minute, with ransomware attacks occurring every 11 seconds against businesses daily. Before one can say that such statistics are relevant only to big companies, I should also point out that, as of 2019, online attacks on small businesses constitute 43% of the total online attacks, and 86% out of those businesses cannot defend themselves.
As a developer, one might say that “I bought an SSL certificate to secure communications with my system, so that is enough to protect me from any form of attack.” Unfortunately, that is not the case because there are many ways to attack a system, and it is not only through an unsecured session. Attackers can fuzz your system (be it a mobile/web application or a network) for any vulnerabilities before they launch an attack. So, there is no such thing as enough security; one must be thorough. Security should be addressed in the software development lifecycle for applications and network designs for network infrastructure.
In terms of time and money, it is costly to implement; however, it is more expensive to gain back the lost reputation and trust, and there are a lot of companies that failed to survive after they were compromised. So, you may be a small-scale developer or a network engineer, but you may have small-scale clients, and you are more than likely to use similar designs for most of them. Thus, if a system is compromised, it could extend to all of them. The initial cost of security may be high, but it might be relatively cheaper when added on as the system expands.
Which one would you rather be part of, 86% or 14%?
Kwasi is a Research Assistant at the Canadian Institute for Cybersecurity (CIC). He has worked on projects with CIC's industrial partners such as Siemens and IBM. Prior to joining CIC, he worked for 10 years within the telecommunications industry. Cybersecurity topics that he is interested in are Trust in Smart Grid, Smart Grid Security, and Security in IoT and Fog Computing.