[Not if, but] Why investing in cybersecurity?

When making decisions about investing in cyber defence, who will be playing major role: decision makers or tech experts? Actually, both and each will have a non-arguable argument that fits their needs.??

Cyber threat awareness is much better than it used to be. Whoever is interested in the subject can find and hear tons of evidence of financial damage caused by cyber-attacks. That’s what is stressed at first – consequences. Either the money was directly stolen from the company, or the company suffered damage due to e.g., production outage or reputation loss. More often we can even hear that somebody we know or doing business with was a victim of cyber-attack. Many other cases we will never find out about, as this is a subject that nobody wants to brag about.??It is understandable! However, more we share experiences better protection we can achieve.

Exact amount of financial damage caused by attacks is impossible to have because right now someone, somewhere is under cyber-attack. However, there are estimates companies worldwide lost around $6 trillion in 2021 and that amount will hit $10,5 trillion by 2025. And look at the number of breaches (https://www.itgovernance.co.uk/blog/data-breaches-and-cyber-attacks-in-2021-5-1-billion-breached-records#:~:text=to%20data%20breaches.-,Overview,same%20period%20(20.1%20billion). In Croatia only, according to the PricewaterhouseCoopers (PwC) survey from 2018, one out of 3 companies already suffered some kind of attack. Today, we can assume there has been a significant increase since then. Of course, not all of these attacks had catastrophic outcomes, they have been anywhere on the scale from "annoying" to "significant financial loss".??

At the same time IT and security experts warn you about different cyber threats and vulnerabilities every day. Some of them we even don't know how to pronounce (Log4j, really?) So naturally, you may ask yourself how much these threats are real for your company? What should you dedicate your budget for? What will be your responsibility in case your company suffers a cyber-attack? Even if you have CISO - Chief Information Security Officer, cybersecurity somehow still ends up as your responsibility, like you don't have enough other important things to care about.

Despite all these warnings and real-life examples many still live in hope that cyber-attacks happen to somebody else (hope you are not a part of statistics). They think they are too small to be interesting to attackers or that they don't have any valuable data. And after all we come from a small country not playing any significant political role, so why would anybody try to attack us, right?! So how much do you as an executive and decision maker should care about cybersecurity?

Cyber threat is a risk, ok? But, how big a risk? A really big one, a huge, an enormous one! Another PwC survey, 25th?Annual Global CEO Survey released in January this year (https://www.pwc.com/gx/en/ceo-agenda/ceosurvey/2022.html) states that more than 4.400 CEOs surveyed worldwide see cyber risk as the biggest threat to the growth, following by health risk and macroeconomic volatility. I know, this is a survey. It is not scientific proof that your company will be attacked. However, if we can learn anything from historic data, then we can be sure cyber risk is getting bigger and bigger. So, what can you as a decision maker do about it?

First, you must accept there is no 100% protection from cyber threats. It is a never ending game between bad and good guys. However, with the proper combination of tools, expertise and processes you can bring this risk to the minimum. What is "proper combination" depends on your current security posture. Finding this ideal combination will always be work in progress. Your company is operating in an ever changing online world where new threats appear every day. This puts even more stress on you, as you have to spend your budget wisely, on the most important things. Don’t forget tech experts and management have to sit down together. Only with such cooperation and mutual decisions you will go step by step further to reduce risk to a minimum.

How to identify these the most important things for making your IT and OT environment secure from cyber threats and vulnerabilities, will be covered in the following articles.?