Cybersecurity, Policies and Training

The Trickle Up and Trickle Down of Business Cybersecurity

Cybersecurity breaches are technical by definition. But they can also be measured in dollars and cents. And in the end, most business cybersecurity attacks are traceable to unwitting people within your organization. Many breaches are caused by sloppy habits and a pervasive lack of employee cybersecurity education.

Ironically, consumer awareness of cyber risks is on the rise. Many of your employees have internalized the most important rules of protecting themselves against identity theft. Some of them have gone so far as to purchase identity theft protection. The number of companies offering identity protection services has increased steadily over the past decade. Sometimes identity theft protection is offered as a free benefit when consumers use other products and services, such as banking and credit cards.

According to Fortune Business Insights, the value of the identity theft market is projected to grow from $11.39 billion in 2022 to $27.90 billion by 2029, no doubt because such personal protection has become increasingly affordable: ID theft insurance can be purchased for below $50 per year.

Corporations Aren’t People

As a business owner or cybersecurity specialist, the task of protecting your business from cyber threats is much more challenging than it is for individuals. As a business, you don’t have one identity: potentially, you have millions. They’re called customers. And it’s not just much more complicated for you to operate responsibly. It’s far more expensive, too.

A Look at Cybersecurity Spending

According to Deloitte, one of the foremost global risk analysis and advisory firms, the average business spends about 10.9% of its total IT budget on cybersecurity. Network infrastructure, software licenses, consulting services, and computers for employees make up the lion’s share of IT spending. That amounts to about 0.48% of a business’s annual revenue. Most cybersecurity experts believe businesses should spend far more, given the level and types of risks out there and the financial costs of every individual breach.  

What Are the Costs of Cyber Breaches?

Businesses have to weather both direct and indirect when they are victims of a cyber breach.  Let’s look at the costs from a direct cost perspective. In 2020, a Ponemon Institute study revealed that a single data breach cost companies an average of $3.86 million. In 2022, that figure rose to $4.2 million. Experts do not expect an end to this upward trend. The larger your business, the more you stand to lose per breach. And for small to midsize enterprises (SMEs), the direct costs of a breach can be devastating or even deadly. Direct costs may include the expense of hardening your company’s cybersecurity system, paying fines, and resolving lawsuits filed by customers.

The indirect costs of a cyber breach are more difficult to measure. Customers lose trust in companies that expose their data. Brand trust and “goodwill” are major business drivers and critical to customer retention. It’s never entirely clear after a data breach how much business a company loses in the form of customers abandoning their brands. Nor is it easy to measure the negative effects of word of mouth, particularly in an age when customers rely heavily on published reviews before choosing a product or company.

Many companies spend millions of dollars on marketing communications, lowering product pricing, and offering promotional discounts aimed at earning back customer trust. They decide the expense of doing so is worth it when compared to the cost of losing wounded customers entirely.

Where Should You Be Spending Your Cybersecurity Dollars?

Cyberthieves target your company from within. Most cyber breaches can be traced back to the actions of one careless or poorly educated employee. So at the most basic level, your company’s security depends on education and cybersecurity rules enforcement. Each time you onboard a new employee, he or she should be taught the fundamental rules of cybersecurity. Harsh as it may sound, employees who fail to follow these rules repeatedly should be dismissed:

  • Choose strong passwords
  • Never share your passwords with anyone
  • Don’t write your passwords down anywhere
  • Change your passwords frequently

Education is one of the least expensive investments in cybersecurity you can make. You can also limit your risk without investing a lot of money by considering these best cybersecurity practices:

  • Only collect the amount of information you require to deliver an excellent customer experience. Just the must-haves, not the nice-to-knows. 
  • Provide data access on a need-to-know basis. If your employees don’t need a piece of data to meet their job expectations, they shouldn’t be able to get their hands on it. As employees move through your organization and their job duties change, their access to different types of data should change, too.
  • Ideally, you should rescind data access before you actually dismiss an employee. Disgruntled employees who continue to have data access can spell big trouble for your business.
  • Use the best password management tool you can find—the one that forces employees to practice excellent password hygiene.
  • Any time you add a new application to your data stack, make sure it includes the highest security standards. Avoid creating a “weakest link” in your data chain. Keep all applications and databases on par with one another when it comes to cybersecurity. And set the highest standards you can while you’re at it.

End-to-End Cybersecurity Is Critical

Customers expect you to protect their personal data from step one in the customer journey. Do a good job of that and they’re likely to trust you and step deeper into your business. Achieving maximum customer engagement with your brand is a slow process that builds with each safe interaction with your company.

When designing your cybersecurity platform, make sure it integrates all of your business functions. Robust cybersecurity systems, at a minimum, feature gold-standard encryption, identity verification that meets all legal requirements for your industry, and multi-factor identity authentication.

Depending on the type of business you do, you may need to incorporate electronic signature capabilities into your system. Malware and virus protection are also a must. Protection should be activated on every employee’s personal computer. Smaller companies that don’t have the internal resources to design and implement robust systems typically outsource these functions.

Button Up: It’s the Law

Poor cybersecurity can cost you—big time. Some costs are easy-to-measure ways while others are less tangible, as we’ve discussed. But it’s also important to recognize that there are laws that govern how businesses must protect customer data.

Violating these laws—which actually consist of hundreds of disparate regulations passed by the legislative branch of government and administered by multiple federal and state agencies—can result in additional costs, including serious fines. Your cybersecurity strategy should take all of these regulations into consideration. Your cybersecurity budget should be ample enough to account for all of your legal responsibilities.

Staying on the right side of these regulations is no small feat. Everyone in your organization has a role to play in implementing your cybersecurity strategy. And every employee has a financial stake in your strategy, too.

By some estimates, 60% of small businesses close within six months of suffering a cyberattack. Seen from that perspective, cybersecurity equals job security for your employees. It’s incumbent on business leaders to make sure all of their employees understand this vital connection between cybersecurity and a business’s resilience and success.

Susan Doktor, a journalist and brand strategist with more than 30 years of experience working for businesses of all sizes, wrote this article on behalf of She writes about a wide range of topics, including personal and B2B finance.

Leave a Reply

Your email address will not be published. Required fields are marked *