With cyberattacks remaining a very real and persistent threat for companies of all sizes, it seems incomprehensible to security experts that companies wouldn’t implement stringent cybersecurity controls. Unfortunately, the reverse is true. In late 2020, a Gartner report found that the average cybersecurity budget among firms surveyed was less than 6% of their overall IT budget. Disconcertingly, that figure was lower than in 2019.
Furthermore, security and risk management spending in all categories, from cloud security to data security and beyond, is anticipated to grow by just 12% in 2021. Add to that the fact that a 2020 report found 51% of U.S. small and midsized businesses do not have an ongoing cybersecurity best practices training program.
Frankly, we at Novatech are flabbergasted, given that the same report found 25% of firms share best practices only via email, and a scant 18% conducted annual training. (On the plus side, 20% are performing vulnerability testing, but that figure is still surprisingly low.)
Cybersecurity Is a Bargain, Compared to a Data Breach or Hack
We find this situation lamentable, given the cost of a data breach or other security incident. Bank of America Corp. certainly discovered that earlier this year, when a judge ordered the organization to change its practices — and compensate employees for their suffering.
In the case of Yick v. Bank of America, 21-cv-00376, U.S. District Court, Northern District of California (San Francisco), a group of disgruntled Bank of America customers filed a class action lawsuit against the financial behemoth citing 10 causes of action. These unemployed customers, who were receiving public benefits, contended they were left unable to buy food when their prepaid debit cards were hacked. According to the suit, the bank made matters worse by treating them like criminals — and in some cases, hitting them with overdraft fees.
U.S. District Judge Vince Chhabria found that account holders suffered “irreparable harm,” noting, “Just as companies can establish irreparable harm by showing that losing money will likely cause them to shut down, human beings can establish irreparable harm by showing that losing wages or benefits will likely cause them to be evicted, go hungry or be denied necessary medical care,” Chhabria wrote in his decision.
Although the final price tag for Bank of America is unknown at this time, the loss of public trust will likely be incalculable.
Regulatory Agencies Take Cybersecurity Seriously, Too
In June 2021, the Securities and Exchange Commission (SEC) issued its first-ever penalty to First American Financial Corporation for following deficient cybersecurity practices. Without admitting or denying the SEC’s findings, the real estate settlement services firm agreed to a cease-and-desist order and to pay a $487,616 penalty.
According to the SEC’s order, on the morning of May 24, 2019, a cybersecurity journalist notified First American of an application vulnerability that had exposed more than 800 million images, including images containing sensitive personal data such as social security numbers and financial information.
First American issued a press statement that evening and furnished a Form 8-K to the SEC on May 28, 2019. However, senior executives responsible for these public statements were not fully apprised of the vulnerability, timing or magnitude of the resulting risk. As a result, the SEC and company investors also were not adequately informed. The New York Department of Financial Services (NYDFS) followed up with its first-ever cybersecurity enforcement action.
These are just two examples among many where organizations monetary penalties and other negative consequences far exceed the cost of cybersecurity protection. Additionally, these figures don’t even include the cost of lost reputation. If this article has given you pause, we urge you to schedule a complimentary consultation with the security experts at Novatech. To get started, call 800-264-0637 or visit https://novatech.net/contact-us/ and click on Live Chat to initiate a discussion.