Is It Possible to Calculate the ROI of Cybersecurity Investments?

In 2022, there were 103 billion attempted attacks on Brazilian companies, according to data from Fortinet, representing an increase of nearly 20% compared to the previous year. The exponential growth of attacks in recent years indicates that we are no longer faced with a situation of "if" a company will experience an attempted attack, but "when" it will occur.

In this context, when it comes time to implement initiatives to mitigate the risks of these cybercrimes, many managers find themselves challenged to justify the investment in cybersecurity. Traditionally, investment decisions are guided by the perspective of Return on Investment (ROI), which focuses on assessing financial benefits and gains relative to the costs of investment. However, when it comes to information security, the perspective of Return on No Investment (RONI) is an important approach to consider, as exposure of sensitive data can have severe consequences, including loss of confidentiality, integrity, and availability of information, as well as reputational damage, financial losses, costs of data breaches, regulatory fines, litigation, loss of customers, and reputational harm, which can have a significant financial impact.

4 Reasons to Consider RONI Instead of ROI

Prevention Is More Cost-Effective Than Remediation
According to the "Cost of a Data Breach" report published by IBM, the average global cost of a data breach was $4.35 million in 2022. This amount includes not only direct remediation costs, such as forensic investigation, notification of affected customers, credit monitoring, and identity protection services, but also indirect costs, such as lost business, reputational damage, litigation, and fines.

Investing in the prevention of information security incidents is generally more economical than remediating the damage caused by a security breach. Implementing appropriate information security measures, such as automated monitoring for security vulnerabilities, intrusion detection systems, encryption, security policies, and security awareness training, can help prevent security incidents in the first place, which is more cost-effective than dealing with the financial consequences of a breach.

The Value of Your Company Is Tied to the Data It Holds
Data is a valuable asset for organizations, including customer information, intellectual property, business strategies, and financial information. The loss or compromise of these assets can have significant financial and competitive consequences.

Therefore, when considering investments in information security, it is crucial to ask: What is the financial impact of losing my company’s data?

The Reputational Cost of an Attack Could Be the End of a Company
The reputation of a company is a valuable intangible asset, built over time through relationships with customers, business partners, and the general public. A cyberattack can undermine stakeholders' trust in the company's ability to protect their data and information, resulting in financial losses due to:

• Loss of Customer Trust: A cyberattack may lead to the exposure of sensitive customer data, such as personal, financial, or medical information. The exposure of this data can lead to insecurity and prevent people from trusting your company again.

• Damage to Brand Reputation: Negative exposure on social media, in the press, and within the markets in which your company operates can harm your brand.

• Increased Communication and Public Relations Costs: An incident may require a swift and effective communication response from the company to mitigate reputational damage and manage public perception.

• Impact on Partnerships and Business Contracts: A cyberattack may affect the company's relationships with business partners, suppliers, and customers, resulting in the loss of contracts or partnerships.

LGPD Fines Can Reach R$ 50 Million
The resolution regulating the administrative sanctions of the General Data Protection Law (LGPD) was published by the National Data Protection Authority (ANPD) on February 27, 2023. Resolution No. 4 establishes categories of minor, medium, and serious infractions and presents the calculation method for fines for violations of the legislation, which can reach R$ 50 million. Practically, this was the final step needed to initiate the accountability of offenders.

Investing in information security, especially in initiatives such as the preventive monitoring of security vulnerabilities, can help remediate security flaws that, if left unresolved, could result in data leaks and the subsequent application of LGPD fines.