We’ve all seen the news, if not experienced it directly: Layoffs. Budget cuts. Fiscal conservatism. In the “new normal” (albeit a temporary one) of high interest rates and stubborn inflation, preparing for the worst is the responsible thing to do. 

But put those facts in the context of the current threat landscape, as evidenced by all the recent high-profile hacks and incidents, and the action items are not what they seem. If there is any single investment area that should be exempt from that policy, it’s cybersecurity–because in that case, preparing for the worst by cutting budgets can be a self-fulfilling prophecy. In fact, there is plenty of evidence that companies already spend too little on cybersecurity, and that cutting or even maintaining cybersecurity budgets in 2023 is going against the grain of industry peers. Even the U.S. Federal government is spending more money on cybersecurity this year, including $2.9 billion for the Cybersecurity and Infrastructure Security Agency (CISA)–a 12% increase–and $1.6 billion for the National Institute of Standards and Technology (NIST), a 33% increase.

Short-Term Pain, Long-Term Damage

There’s an old proverb in cybersecurity: “It takes 20 years to build a reputation, and a few minutes of a cyber incident to ruin it.”

We can probably all agree that we’re living through the worst Cybersecurity Crisis in history with respect to the threat environment: Gartner predicts that by 2025, nearly half of all software supply chains will suffer an attack, a 3x increase from 2021. Even worse, the talent needed to address it is as scarce as ever.

The short-term cost of a breach is well understood: The average cost of one was $4.35 million last year, and the global cost of cybercrime is estimated to hit $10.5 trillion annually by 2025. But the costs only start there. Outside the immediate tactical fixes and uplift and remediation costs associated with patching the root cause of a breach, also consider the ones with a longer tail:

  • Long-term brand damage. Don’t discount the long-term and accelerating impact of a breach on brand and reputation as measured by stock price. A 2021 study of 34 public companies that had suffered a breach found that one year later, their share prices had underperformed NASDAQ by -8.6%. After two years, they underperformed by -11.9%. And after three years, the figure was -15.6%.
  • Regulatory fines. Fines can be extremely expensive. As a result of its 2019 breach, Equifax agreed to pay at least $575 million in fines as part of a settlement. T-Mobile collectively paid $350 million as part of a settlement following a 2021 breach. The list goes on.
  • Legal fees. The cost of defending or settling lawsuits is hard to quantify because that information is always private, but anyone who has ever hired an attorney can do the math there.
  • Insurance impact. The average cost of cybersecurity insurance in the U.S. rose 79% in Q2 2022, after more than doubling during each of the previous two quarters. A breach can lead to an even more expensive premium at best, and outright cancellation at worst. 

Reject Unacceptable Risk

In summary, the cost of cutting investments in cybersecurity is not only risky in the short term, but in the long term, as well. And given the current threat and fiscal environments, that hardly seems like a risk worth taking.