Last summer, J.P. Morgan Chase suffered a significant cyber breach of its corporate servers that affected approximately 76 million households. Very bad news and no longer an unprecedented event for a major financial institution. Then, two things happened the following fall that are very interesting when considered together:
- J.P. Morgan Chairman and CEO James Dimon told a panel discussion audience at the Institute of International Finance that his bank would double its cybersecurity spending over the following five years.
- PwC released its latest Global State of Information Security survey that noted that spending on information security fell four percent during a period in which cyber attacks against companies increased 48 percent.
The Challenges are ClearAs someone who wears two hats at Guidance Software—interim CEO and CFO—I understand the concern with cost management in a challenging business climate. IT costs in general are often uncomfortably large, and they seem to go up at the whim of vendors and industry analysts to very little measurable return on investment.
But I have found myself wondering more than once in the past five years whether the last 20 years of curbing IT security spending has left us as executives—and our companies—exposed. The Target breach has cost the company $162 million so far. That’s higher than the 2014 average reported on in the latest Ponemon Institute report, which says breaches cost companies around $3.5 million, up 15 percent from the 2013 average.
As CFO, I know that we have to make smart spending choices to stay competitive—no question about it. But as CEO, I understand that the potential consequences of a data breach are dramatically higher than they were five years ago. The legal defense costs and potential awards of class-action lawsuits, the capital costs of remediation, potential regulatory fines, and the damage to corporate reputation add up in a way that should give every board of directors and C-suite dweller pause.
Smart Spending Means Adding a Line ItemSpending on information security should be one of the highest budget priorities on any executive’s list. But smart spending is key. As hacks like those in the past year have taught us, no matter how many bricks you add to your firewall, only one of us inside the firewall (the human perimeter) has to click on a phishing email link or leave a login and password sitting around and all of that perimeter security money was for nothing. Companies have to be watching their network endpoints (laptops, mail servers, point-of-sale devices) for strange activity – the behavior that is outside of normal for that endpoint—in order to see problems as they develop—and before the critical data leaves the premises.
In other words, if you’re not investing equally in endpoint security as on perimeter security, you’re not fully covered. Meet with your IT and information security teams. Ask them whether they can see when something unauthorized is happening in the locations where your sensitive data is stored. Then revisit the budget and add a line item for endpoint security.