For years, cybersecurity at Prime Equipment Group was confined to strong firewalls and an off-the-shelf anti-virus/anti-malware package. After all, the privately held Columbus, Ohio-based manufacturer of poultry processing equipment, with annual revenues of $40 million and 150 employees, was relatively small. They were confident that their size and niche business would not interest cyber criminals. All that changed when they relocated into a much larger facility in June 2018 to address a growing backlog.
“We got some press on our fast growth, which raised our visibility,” says company president Joe Gasbarro. “Articles noted not just our new manufacturing facility, but also some of the disruptive technologies we were beginning to use.… Suddenly, we were on the radar screen for hackers.”
A barrage of both mass phishing and personalized spear phishing attacks ensued. “Just last week, I got an e-mail from one of the owners of the company asking for a ‘favor,’” Gasbarro says. “He wanted me to wire 30,000 euros from the remaining balance on a particular project to an account in Spain, to pay a vendor. It wasn’t unusual to forward money ahead of schedule, but it wasn’t common either. I mentioned the request to our CFO, who investigated and discovered the e-mail was a targeted spear phishing attempt.”
Days after talking with Chief Executive, Gasbarro forwarded another e-mail he had just received that appeared to be from a company officer. It asked that he click on a link to update the person’s contact information. His suspicions aroused, he called the officer, who confirmed the e-mail was fraudulent.
“Something I didn’t have to think all that much about in the past is now very much on my mind,” Gasbarro confides. “I’m worried mostly about our cash, but also about the theft of our design and engineering blueprints. I’m also worried about a disruption in business. We’re so busy we can’t afford one day down, much less two or three.”
Digital technology tools have been a boon for business, making operations leaner, more efficient and customer-focused. But the big downside is the growing cost of protecting the organization from their inherent security flaws. All corporate information security budgets are finite, making it imperative for CEOs to ensure that capital is properly allocated to mitigate the most important cyber risks.
This is far easier said than done. The list of defenses is formidable. Software measures alone include state-of-the-art firewalls, network security, anti-malware, anti-virus, identity management, access control, penetration testing, cloud security, intrusion detection, network monitoring, application security and endpoint security. Many companies also shell out to hire in-house information security personnel or outside expertise and to train their workforces to beware phishing and spear phishing attacks.
Slicing up this big pie into the right-sized pieces is delicate surgery. “Companies have trouble figuring out their optimal cybersecurity spend,” says Syed Ali, who leads Bain & Company’s cybersecurity practice. “Not just midsize companies, but even many large enterprises don’t look at cybersecurity in a top-down strategic manner to know where the money should go.”
Every Company is at Risk
Certainly, the need for more thoughtful budgeting has never been greater. A 2018 survey of 3,600 chief information security officers (CISOs) conducted by Cisco reported that nearly half of all cyberattacks cost victim organizations more than $500,000 on average. Those are the lucky ones: Eight percent of the survey respondents endured more than $5 million in direct and indirect costs and 11 percent suffered losses between $2.5 million and $4.9 million.
Small wonder that nearly six in ten companies in EY’s 2018 global information security survey increased their cybersecurity budgets last year. What is alarming is that the survey’s 1,200 respondents (a mix of CISOs, CIOs and other technology executives) say the budget increases are not nearly enough to fight a winning battle. An astonishing 87 percent say their budgets need to increase by at least 50 percent, yet only 12 percent anticipated an increase of more than 25 percent in the coming year.
While large enterprises arguably have more capital to spend on cybersecurity, midsize and smaller businesses at risk of attacks must also fund measures to fend them off and mitigate damage.
Take regional insurer Penn National Insurance. The company has sustained thousands of the fraudulent emails on a daily basis for several years, reports CEO Christine Sears. “Like all insurers, we have an enormous volume of customer data, making us a target,” she says.
These customers include both businesses and consumers, since Penn National provides a broad array of commercial and personal lines of insurance policies, including workers compensation, automobile insurance and various liability insurance products, among others. Data is the lifeblood of an insurance company, guiding underwriting and pricing decisions, as well as those involving claims administration and resolution. “We simply must have a very disciplined approach to cybersecurity, as our risk resilience is part and parcel of the trust that policyholders place in us,” Sears says.
Both Prime Equipment and Penn National recognize the dire threat represented by a successful and especially punishing cyberattack. Whereas Penn National has budgeted targeted capital resources to defend the organization for some time, Prime Equipment is just beginning to figure out the optimal defensive posture. “We don’t have a CISO, so we’re still studying where we can get the biggest bang for the buck,” Gasbarro says.
Slicing Up The Pie
This puzzlement is the norm in many companies, since there is no such thing as a cookie-cutter cybersecurity budget, where, say, 50 percent is allocated to software tools, 30 percent to hiring additional cybersecurity staff and 20 percent to workforce training. “The cybersecurity budget must be based on each company’s unique business strategy, which indicates which data needs to be protected the most,” says Carolann Shields, CISO at audit firm KPMG. “We evaluate how these risks apply to our known environment—which systems or data are more important that others, where those systems or data are located, and how they are accessed.”
Ali at Bain & Company agrees with this approach. “The most important question CEOs must ask their IT leaders is, ‘What is our highest priority in terms of the data we must protect?’” he says. “A pharmaceutical company might designate clinical trials data as its primary cybersecurity concern, whereas a manufacturer or an oil and gas company might decide to allocate the bulk of its security budget into strengthening the supply chain, and a healthcare company that’s highly regulated for patient data privacy might select this as the risk to focus on.”