Many hospitality companies are struggling with the question of how much to spend on cybersecurity especially in the context of revenue losses related to the pandemic. The challenge is that the risk of cyberattacks is rapidly escalating. There are several drivers of this alarming trend. First, ransomware is growing in severity both in the scope and the scale of attacks as well as the amount of the ransom demand. Next is the increase in remote work during the global pandemic and the rush to facilitate at home working. And finally, small companies are increasingly targeted because they are “easy” victims and typically more vulnerable.
As you might expect, the cost of cybercrime increased more than 50% from 2019 through 2020. According to a report by McAfee¹, the global cost is estimated to be more than $1 trillion and monetary losses are estimated at $945 billion. Examples of hidden or intangible costs that are difficult to measure include system downtime, reduced efficiency, brand damage and loss of trust. Expenses that are direct and easier to measure are consultant services, legal fees and cyber risk insurance premiums. Below is a chart published in the McAfee report that illustrates this trend.
According to the Verizon 2021 Data Breach Report², most cyberattacks continue to be financially motivated and organized crime is the No. 1 threat actor. The prevalent types of attacks include:
Ransomware - a Denial of Service/Operations and often includes a data breach
Business Email Compromise (BEC) - often involves Funds Transfer Fraud
Computer Data Breach - theft of personal data such as cardholder data, social security numbers, driver’s license numbers, passport numbers and details, etc.
What is the best way to go about budgeting for cyber security risk? As a starting point, be sure that you have a qualified information security professional managing your program of work. Regardless of the amount you spend, a knowledgeable and experienced cybersecurity professional can make well informed judgments about priorities in expenditures.
There are three well established strategies that can work together in combination. Each strategy has advantages and drawbacks and it is not recommended to rely on a single approach. Below is a description of each way to go forward.
STRATEGY A: Key Ratios of Spend
The first strategy is to look at key ratios of cybersecurity spend as a percentage of the total IT spend and as a percentage of total annual revenue. This is a widely used benchmark and will definitely flag underspending. If your spend is less than 5%, it is critical that you follow the additional strategies described below to ensure you are not at a high risk level. However, a pitfall in this strategy is that the spend may be misdirected on the wrong measures or leave gaps in essential tools while overspending in other areas.
The average spend on cybersecurity across industries is 6% - 14% of its annual IT budget and 3.2% of annual revenue. Experts are now recommending that for 2022, a 10% increase in cybersecurity spend is needed based on the changes related to employees working remotely and other IT infrastructure changes that were driven by the global pandemic.
In calculating cybersecurity spend, be careful not to lump in normal IT operating expenses. However, be sure to include not only the payroll cost of staff dedicated to cybersecurity but also professional services such as pen testing, managed security services, etc. If cybersecurity is not a separate budget, consider separating it into its own category so that it can be tracked easily.
STRATEGY B: Gap assessment
Another strategy is to assess and identify any gaps in the current cybersecurity program. This is an effective approach but is more time consuming and requires selection of an established security standard to use for measurement. The ISO/IEC 27001 standard and US NIST 800- SP 171 framework is well suited for this purpose. You may want to consider third-party professional services to perform this assessment. But individuals on staff who hold a security management certification such as CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor) or GISP (SANS Institute -GIAC-Certified Information Security Professional) are qualified to do this type of work.
This type of assessment should review and address these questions:
- Are there adequate resources with the necessary skills?
- What are the current tools and technologies in use and are they properly implemented and maintained?
- What is the governance process and level of engagement at the executive level and across business functions?
- Is there a balance in provisioning preventive, detective and response risk controls? Similarly, what is the relative strength of administrative, physical and technical controls?
- Is there cyber risk insurance coverage and does it have exclusions or specific requirements for coverage payout?
STRATEGY C: Focus on Compliance
A third and final strategy is to focus on information security compliance. An advantage of this approach is that it involves audit reports with specific actionable recommendations to address deficiencies. When actions are remediated in a timely way, this type of documentation can demonstrate that appropriate measures are in place which in turn, limits legal liability. The downside of this strategy is that compliance requirements lag about 3-4 years behind evolving cybersecurity attacks, leaving a company vulnerable and with some exposure.
It is important to note that in the area of compliance for hospitality, PCI-DSS compliance is not the only relevant requirement. Examples of other compliance requirements are CMMC, the Cybersecurity Maturity Model Certification (for companies who have contracts with US government agencies, ISO/IEC (International Standards Organization) 27001, for companies who do business internationally, and SOC 2, a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA). In addition, compliance with data privacy regulations usually includes a major component for cybersecurity. The US HIPAA (Health & Insurance Portability & Accountability Act) regulation includes a comprehensive Security Rule. Also, the GDPR, General Data Protection Regulation, includes security requirements for protection of personal information related to unauthorized disclosure, alteration and protection of Confidentiality. GDPR is an EU privacy law that applies to everyone doing business with EU citizens either as customers, employees or business suppliers or partners because normally certain types of personal data would be collected in these relationships.
What about Transfer of Risk with Insurance?
It is important to note that buying cyber-security risk insurance is not sufficient alone as an overall strategy although it is an important part of a cybersecurity program to reduce the impact of highly probable risks. Cyber risk insurance contracts are evolving and complex. Unfortunately, many companies have experienced disappointing and frustrating rejections of claims due to details in the policy that had not been closely reviewed and understood. According to GB&A³ insurance brokerage, the common reasons for denial of claims include:
- Failure to maintain minimum and adequate security standards.
- Exclusion of any PCI fines and assessments.
- Limits on ransomware and requirements for adequacy of risk controls.
- Exclusion of social engineering schemes.
As your budget plans are set, step back and check for these recommended best practices in allocations within a cybersecurity budget. Priorities should address compliance, ongoing risk assessments including pen testing, ongoing security awareness training for end users of technology and security reviews of new business initiatives. More details on allocating the cybersecurity spend can be found in an article published by TechTarget⁴.
1 "The Hidden Cost of CyberCrime" by By Zhanna Malekos Smith and Eugenia Lostri James A. Lewis, Project Director, McAfee, December 2020
2 "2021 Data Breach Report" sponsored by Verizon, June, 2021
3 "Avoiding the Most Common Cyber Insurance Claim Denials", published by GB&A Insights online
4 "Cybersecurity budget breakdown and best practices" by Ashwin Krishnan, Tech Target, December, 2020