Many CEO’s in small and medium businesses (SMB) are increasingly having grave doubts about the money they are spending on information security. Almost every day, they wake to new headlines that scream of large companies, who spend vastly more on security, and are routinely being hacked to the tune of millions of records. Even the emails of prominent government officials are now making new headlines every day. Even at last night’s final presidential debate, we were not spared. Did Russia hack the DNC? Where did WikiLeaks get their materials from?
The daily barrage is taking a toll. In this environment, the question these SMB CEO’s are asking is: “Is our investment in security buying us anything? Are we going to be hacked anyway? How much money for information security is enough?”
Many are coming to the conclusion that, regulations notwithstanding (HIPAA, PCI, SOX etc.), doing the minimal amount to show due diligence is perhaps all that is needed, and frankly all that is affordable. They are not looking to increase information security budgets – rather, they are inclined to cut these budgets.
The conundrum here is that no matter how much is spent, those responsible for information security cannot guarantee that hacking will not occur. In fact, as John Chambers of Cisco and others have pointed out, there are only two types of companies: Those that know they are hacked and those that don’t know that they are hacked. The takeaway being we are hacked anyway!
So in this paradigm, some CEOs are resigned to the prospect of the inevitable hacker lurking amidst their data. Their hope is that this is a benevolent hacker.
A benevolent hacker steals, but not enough to put the company in the headlines. This narrative seems to have another benefit for these companies because if breaches are discovered, they would need to disclose it to clients, the press and even the authorities. In a bizarre way, not looking hard enough may be buying them deniability. You don’t have to disclose what you don’t know – even if everyone seems to acknowledge that it is probably happening.
The assumption, that safety may be proportional to the dollars spent, is becoming an increasingly difficult sell. Some companies are building breach losses into their planning, maybe even buying some cyber insurance, but not ramping up security spending. In the end, they hope it will be cheaper than spending large amounts of money on information security that is likely to be compromised anyway.
At the SMB level, the information security towel may already have been thrown into the ring. The hope is that “No Más” will engender benevolence. Time will tell.