Persuading board-level decision makers to invest in cyber security was a key issue that was raised at Lifeline IT’s recent ‘IT Risk’ roundtable.

Attendees said the challenge was making a case for their organisation to allocate or increase expenditure on preventable measures, which have no immediate positive impact on a company’s revenue.

Explained Daniel: “This is something we frequently come up against and at the roundtable it was an issue senior leaders grappled with. Businesses often have other priorities they want to spend on, and preventative measures are something that, on the face of it, don’t appear to be adding any immediate value.

“But once a company realises how much it could potentially cost them if they don’t do these things, they realise the benefit. Seeing how a cyber attack could cause potentially catastrophic financial and reputational damage really does focus the minds of decision makers.”

Making the business case for investment to protect against cyber and IT risk can be quantified in financial terms on a sliding scale, for example:

• A cyber attack/data breach that prevents the company operating/trading for 1 day will cost the business £xxxxx (add in average daily revenue figure). For 3 days this increases to £xxxxx.
• If this cost of lost business/revenue is considerably more than the proposed IT/security costs, then it validates the need for investment.
• In addition, there is the damage to the brand/business’ image/reputation if the organisation is unable to trade.
• There is also the ‘when’ factor – an attack is a question of when, not if. especially with the acceleration and adoption of new technologies, such as AI.

Presenting a tangible cost to justify the financial case for cyber security investment is vital in getting businesses to understand why it is essential. In summary, it should be seen as an investment in the organisation, not just protecting against risk.