Cyber debt can be incredibly detrimental to a young or growing company and it’s all too easy to accrue. Businesses often fail to set up the proper security measures early on because they are deemed too expensive or time consuming. As people, technology, and devices are added to a business’s ecosystem, they are protected on a one-off basis — or not at all — leaving gaps bad actors can exploit. And because these businesses lack a security strategy, they’re also unable to quickly adapt to the changing threat landscape.
While it’s easy to understand why a fledgling company might think a robust security program is unnecessary, a duct tape and bubble gum approach leaves too many holes that then become more difficult and costly to repair as time passes. This commonly occurring phenomenon is a form of technical debt called cyber debt, and it creates a number of risks for companies large and small.
Types of risk associated with cyber debt
It’s essential for companies to incorporate security into everything they do from day one. The risks of not doing so these days are simply too high. These are some of the most damaging.
1. Data breaches
This is perhaps the biggest risk associated with cyber debt. If security isn’t incorporated into your overall strategy, there’s an increased risk of compromise. Data breaches can occur because of the cyber debt resulting from:
- Your cloud environment not being properly secured.
- Third-party applications added to your environment without incorporating the appropriate security measures.
- Having misconfigured databases….
…and the list goes on and on. And these breaches can be costly. According to the Ponemon Institute Cost of a Data Breach report, data breaches in 2021 cost companies $4.24 million on average. In one of the biggest data breaches ever, a misconfigured web application firewall cost Capital One $80 million in fines and $190 million in settlement fees. Meanwhile, something as simple as a lack of two-factor authentication cost the Colonial Pipeline almost $5 million in ransom and even more in potential lawsuits, which brings us to our next risk.
2. Legal liability
If a breach does occur and the company is found to have been negligent, it’s a guarantee they’ll be involved in costly lawsuits. Not only do businesses take a financial and reputational hit when a lawsuit is filed, but founders and early investors can also be sued for negligence, which can be devastating for SMEs who are just finding their footing.
In one such lawsuit, Target was forced to pay $10 million to consumers and $39 million to banks and in January of this year, Morgan Stanley agreed to pay a $60 million settlement in a class-action lawsuit related to data security errors. These numbers are, of course, on top of any ransoms paid, legal fees, and costs associated with lost customers.
3: Reputational risk
When your company is involved in a data leak, you lose your customers’ trust, and anyone considering working with your company is unlikely to move forward knowing you’re not properly securing customer data. According to an Aon Global Risk Management survey, data breaches not only affects a company’s ability to attract and retain customers, but they can even cause the company’s stock prices to slide. For instance, in the aftermath of the aforementioned Capital One breach, the company’s share price slid by 6%. And that’s actually one of the better outcomes given that Aon reports some companies experience a 25% drop in market value in the year following an attack.
Imagine the challenge for a smaller company who’s looking to raise funding for their Series A or B. If their reputation takes a hit because of cyber debt, they’ll find themselves scrambling to find investors.
4: Financial risk
Beyond the financial cost of a data breach, companies can accrue significant costs when trying to clean up cyber debt. Replacing cobbled together security strategies with a more comprehensive security strategy takes time and resources. And you may need to pull out of contracts early if security tools purchased on a one-off basis aren’t compatible with the enterprise-wide tools you’re purchasing when resolving cyber debt.
A recent Stripe survey found that developers may spend as much 33% of their time dealing with technical debt. Another CodeScene report estimates that development teams could increase their feature delivery efficiency by at least 25% by better managing their technical debt. When you think about how much you’re paying in developer salaries, these numbers add up, especially as your team grows. So although cybersecurity practices and tools may feel costly early on, it’s actually much cheaper to implement them before costs get out of control.
5: Compliance risk
Depending on your industry, cyber debt can also create risks when it comes to compliance. Healthcare providers and insurance companies must meet security requirements set out in HIPAA while any company that conducts business in the European Union (EU) or has customers in the EU, must comply with GDPR.
With more and more security frameworks being developed and regulated, companies are forced to take a more mindful approach to security. By taking a lax approach to security and compliance requirements and letting your cyber debt accumulate, you open your business up to fines that may result from a breach or an annual audit.
6: Acquisition risk
For all of the reasons listed above, purchasers are looking carefully at cyber due diligence when considering an acquisition. Purchasers don’t want to take on risks when buying a company – that includes cyber risks. They also don’t want to take on the costs of getting their new acquisition up to speed on security, and they certainly don’t want to face a lawsuit because they can’t implement proper security controls fast enough after a deal closure.
If the acquiring company is in good standing with its customers, they don’t want to risk their own reputation should a breach occur thanks to your mistakes. So if you’re preparing your business for sale, cyber debt can take you out of the game entirely.
7: Investor risk
Much like with acquisitions, investors today are looking very closely at cyber due diligence, especially in growth-stage companies. But these startups are even more vulnerable because they don’t have the reputation and credibility of an established organization that’s looking to be acquired. This means missteps can be fatal and be the reason a deal falls through.
Investors may not want to invest in a company with cyber debt because they know a breach can deliver a fatal blow to a young company. Having dedicated security resources and cyber best practices in place shows operational maturity and eliminates the risk investors could face in the event of a data breach lawsuit.
How to avoid or eliminate cyber debt
Because there are so many costly risks associated with cyber debt, your best bet is to avoid it in the first place by implementing a robust cyber defense and risk mitigation strategy from day one. You likely won’t have a security team (nor would it make sense for SMEs to invest in building one) to lead this effort, which is why many small companies choose to partner with an MSSP to outsource the work.
Whether you’re a new company or one trying to pay off cyber debt, modern MSSPs can help you implement the tools, technology and strategies that will get your organization up to speed. SolCyber offers companies a carefully curated security tech stack and 24/7 coverage to ensure you’re fully protected from internal and external threats — and you can be up and running in weeks, not months. Our approachable team acts as your extended security arm and can help you avoid or pay down cyber debt fast. Drop us a line to learn how.