I came across the photo above when browsing Reddit, and while its meant to be funny, its very accurate to show that this is how most companies approach information security.
In the 2016, over 15 million Americans have had their credit cards, passwords, and social security numbers stolen in hacks that targeted Yahoo, Sony, JPMorgan Chase, Target, and others. The total losses account for more than 16 Billion dollars. With that kind of money on the line, why don’t companies invest more in their cybersecurity?
The simple answer is, companies have little to no financial incentive to do so.
In the Target data breach of 2013, hackers stole 40 million credit card numbers and Target spent $250 million investigating the breach, repairing its network, and settling lawsuits with affected customers. After they took advantage of the tax reductions for companies victimized by cybercriminals and their insurance settlements, the total cost of the data breach for Target was $105 million. That is less than 0.1% of their total annual revenue for 2014.
Sony’s 2014 breach that was supposedly perpetrated by North Korea resulted in a cost of just $25 million for investigation and fixing their network. That is 0.4% of their total sales for 2014. They ended up making far more than that since the hack became free publicity for The Interview.
In short, companies would much rather just pay out damages after a breach instead of investing heavily to prevent the breach in the first place.
EDIT: It was brought to my attention that I didn’t fully explain what a cybersecurity solution entails to make it so expensive. Usually it includes an Intrusion Prevention or Detection System, paired with security monitoring to detect exploits of vulnerabilities. It often also includes training of employees to be mindful of information security and changing their workflows to include these new policies. This can often increase the time it takes to accomplish tasks and reduce productivity, costing the company time and money, leading to the increase in costs.