According to the Cyber Security Breaches Survey 2024 approximately 50% of the 3500 organisations surveyed were targeted by various forms of cyberattack (phishing, hacking attempts, denial of service). Of this 50%, “over one in tenˮ experienced a loss of money or data as a direct result of cybersecurity breaches. This blog touches on the potential negative impacts of poor cybersecurity, and offers insight as to how good cybersecurity can positively impact a business‘ bottom line, providing a return on investment.
Bridging the gap: Cybersecurity for non-technical decision-makers
If you were to talk to a hundred different cybersecurity professionals about what it is they do, and how they do it, you’d likely get quite a few different answers. Favourite tools differ from person to person, some people work on the defensive side of cyber, some people work on the offensive side, whereas others work in management. However, there is one thing that all of them will unanimously agree upon, especially those in more technical roles.
“Conveying the importance of security to those who donʼt handle it daily can be difficult”
For a technical professional, security is everything. Uncovering vulnerabilities and ensuring that a company’s systems are as secure as possible are top priorities, since they are aware of how common it is for the risks associated with poor security to materialise.
To see just how easily a business can be compromised if being directly targeted, check out this blog by Michael.
Michael’s blog is based on a penetration test that was conducted last year, where it was possible to brute force the login for a corporate VPN. When delivering the penetration test report, the executives in the team were understanding of exactly how important cybersecurity was. However, while using that test as an example during consultancy for another business who hadn’t experienced a breach, the reaction from their head of marketing was understandably dismissive – a classic case of ‘if it ain’t broke, don’t fix it’.
Since they had never experienced a breach, proactively addressing cyber threats likely seemed like an unnecessary expense. However, there are some hard truths that non-technical executives ought to consider.
The non-financial consequences of a poor security posture
Take for example: The NHS hack that occurred last June, where threat actors were able to deploy ransomware that caused massive delays, resulting in people not getting important bloodwork done. According to Bloomberg, this cyberattack resulted in ‘harm to dozens of patients, leading to long term or permanent damage to their healthʼ.
Or take a look at Equifax, not only did they face fines large enough to bankrupt small countries, but their reputation has still not fully recovered, with some of the top results on Google after searching ‘Equifaxʼ being about the data breach.
However, not all breaches are as high-profile as those mentioned above. An SME that faces a similar breach is unlikely to be plastered all over BBC news like Equifax, and/or the data they handle may not be as sensitive as health data, so these may not be relevant to decision makers in those businesses.
More relevant to small to medium enterprises is the positive business impact of good cybersecurity practices, such as regular penetration testing and vulnerability management .
How Cybersecurity can add to the bottom line: An Example
Let’s imagine for a moment that you are running a successful agency. You have built up a positive reputation over time, and you care deeply about each and every one of your clients. Your agency has grown to a point where it is no longer feasible to track billing in an excel spreadsheet you keep on your desktop, so you are looking for some kind of CRM/payment management software.
Two vendors approach you after you fill in some contact forms. They both cost the same, have similar UIs and do what they are supposed to, but Vendor A emphasises the importance of keeping your data safe. They employ regular penetration tests, vulnerability management and are taking a proactive approach to security. Vendor B does not mention any of this, and when asked, simply states “We have never had a data breach, so we don’t need to focus on securityˮ.
Which of these two vendors would you feel safer handing over sensitive client data to?
In this example, Vendor A is more competitive than Vendor B due to their proactive approach to cybersecurity.
How else can cybersecurity positively impact business?
While the above example may not be real, it does draw some parallels with real situations Resolute has seen with clients in the past! Below are some of the ways Resolute has enabled our partners to grow through the implementation of various cybersecurity controls.
Marketing benefits
When building a product/service to sell to clients, such as the CRM mentioned in the example in this section, a proactive approach to cybersecurity can lead to increased revenue through better marketability. This applies to any business where customer confidence and brand reputation are top priorities – accountancies, IT companies and financial institutions, just to name a few.
An example of a cybersecurity control that has a direct impact on the marketability of a firm is Cyber Essentials certification, which demonstrates a commitment to implementing basic cybersecurity controls designed to keep customer data safe.
Winning work/Investment
Sometimes, businesses require their suppliers to have had a penetration test, actively manage their vulnerabilities or meet regulatory standards such as ISO27001, or NIST if working with US firms. In this case, you can increase revenue by enabling your company to work with businesses that require a proactive approach to security. This may also make your business more attractive to investors.
Additionally, board engagement with cybersecurity is becoming increasingly prevalent, with 98% of large businesses reporting that “cybersecurity is a high priority for [their] senior management.” Therefore, a strong security posture may make your business more attractive to decision-makers at larger firms who need to manage their own risk.
Measuring twice and cutting once
Taking a proactive approach to security can also benefit a business down the line. As a business grows, it becomes a more attractive target to attackers (reference gov uk stats), meaning that the risk of a breach increases. In order to reduce this risk, it may be necessary to implement advanced security tools. This can have large overhead/setup costs, which would have been mitigated if scalable solutions had been implemented earlier on.
Examples of two such services are Resolute’s 24/7 SOC and managed antivirus, which scale with your business to ensure that customer data and business continuity are protected around the clock, even as cyber threats evolve.
Conclusion
While many executives see cybersecurity as a cost-centre protecting against risks that may never materialise, taking a proactive approach can deliver strong cybersecurity ROI. It not only enhances a company’s marketability but also creates new avenues for business growth. Furthermore, implementing scalable cybersecurity solutions early on can reduce overhead/setup costs as a business grows.
If you’re interested in improving your business’ cybersecurity posture, consider a penetration test or security assessment. Not sure where to start? Contact Resolute for a consultation.
