The R&D Tax Credit Aspects of Cyber Security

By , , and

        Recent cyber-attacks on sovereign nations and corporations alike have demonstrated how porous network security can be. For businesses, the fallout from a cyber security breach can have disastrous consequences including shattered reputations, criticism from shareholders, lawsuits, regulation penalties, and negative publicity.

        These cyber attacks are becoming more prevalent, forcing organizations to realign their security priorities and take a comprehensive approach to cyber security.  R&D tax credits are available for companies developing and integrating cyber security technology.

The Research & Development Tax Credit

        Enacted in 1981, the Federal Research and Development (R&D) Tax Credit allows a credit of up to 13 percent of eligible spending for new and improved products and processes. Qualified research must meet the following four criteria:

  • New or improved products, processes, or software
  • Technological in nature
  • Elimination of uncertainty
  • Process of experimentation

        Eligible costs include employee wages, cost of supplies, cost of testing, contract research expenses, and costs associated with developing a patent. On December 19, 2014, President Obama signed the bill extending the R&D Tax Credit for the 2014 tax year. As of this writing, proposed tax extender legislation would extend the tax credit through December 31, 2016.

Network Security

        Network security  is comprised of multiple layers of security and involves any activities that protect the usability, integrity, and safety of a network and its data. Multiple layers are necessary to defend from an array of threats and to ensure that if one layer fails, others will hold. BBC reports that on average, companies use 75 separate defense systems to maintain their networks.  

Common network work security components include:  

  • Anti-virus and anti-spyware
  • Firewalls to block unauthorized access to networks
  • Intrusion prevention systems (IPS) to identify fast-spreading threats
  • Virtual Private Networks (VPNs) to provide secure remote access

        Network security is comprised of hardware, software, and an IT security policy. An organization’s IT security policy is essentially the company’s rules on how to ensure security and integrity of data. Without administrative support, the IT security policy will lack the clout necessary to be effective. The policy could be perfect but destined to fail if no one in the organization follows it.

        This leaves room for cyber criminals, hacktivists, and cyber organized criminals, to embarrass, steal customer information, disrupt operations, destroy property, destroy business, and cause widespread disruption and destruction.

        The most common threats to a network include viruses, worms, trojan horses, spyware, adware, zero-day attacks/zero-hour attacks, hacker attacks, denial of service attacks, data interception, and identity theft.

Short Comings of Network Security

        Business, not-for-profits, and government organizations are all vulnerable to potential hacking. Over the past two years, Premera Blue Cross, Anthem, Chick-fil-A, Sony, USPS, Staples, JP Morgan, and many others have been compromised. The recent decrease in computing costs has made it more economical for cyber criminals to execute an increasing number of automated cyber attacks. The increase in attacks coupled with organizational use of antiquated network security systems sets the stage for future breaches of colossal proportions.

        A large number of companies have neglected to keep their security systems current, which has made them highly vulnerable.  The network security systems of many organizations rely on outdated technologies that depend on multiple layers of protection, comprised of products from various manufacturers. Predominantly, these products are designed to defend against one specific threat.  Since these products are produced by a multitude of manufacturers in isolation, they end up not communicating well with one another; similar to how PC software and hardware is not compatible with one another.

        This lack of communication prevents the automation of security systems and forces network security to be manual in nature, therefore, susceptible to automated attacks. Humans simply cannot keep up with the speed and efficiency of an automated attack.

        A superior approach would be to have all elements of a security system work in unison. Due to Moore’s Law the cost of computing is expected to maintain its downward decent for the foreseeable future. Subsequently, the number of automated hacks is expected to maintain its upward trajectory. The only viable option to maintain network security is to increase the computing power needed to conduct a cyber attack, therefore making cyber attacks a costly endeavor. To accomplish this, organizations will have to invest heavily in automating their network security in coming years.

The Cost of Network Breaches

        Cyber attacks are becoming so prevalent that some companies are experiencing multiple attacks in rapid succession. Talk Talk Group, a telecommunications company has been hacked three times in the past year. Private information of up to four million customers may have been compromised during Talk Talk’s last cyber attack. This is particularly alarming since Talk Talk has not definitively verified that all of their customers’ data was encrypted. Encryption enhances network security by making information indecipherable without the necessary inscription key. Encryption is quintessential to network security and should never be overlooked. The cyber attack could cost Talk Talk over $37 million.

European Penalties & RegulationCyber Security

        The recent uptick in data breaches has spurred governments to introduce regulation requiring corporations to take cyber security threats more seriously. Europe looks to implement the toughest regulations, requiring companies that experience a data breach to potentially face fines of up to 5 percent of global turnover or €100 million, whichever is greater. Companies will have to drastically increase their network security efforts or potentially face crippling fines. 

        Cyber security threats must be managed however, many professionals believe preventing 100% of cyber attacks is not possible. If this is the case, many companies operating in Europe could be paying these substantial fines in the near future. Regulation should focus more on punishing companies that are negligent in protecting customer data. Arguably, a company that invests heavily in network security and is still breached should not face the same consequences as a company that makes no effort to ensure network security. The bottom line: U.S. companies spend millions in annual cyber attack costs and increasing network security is in their best interest.

Social Engineering & Network Security

        An organization’s network security is only as strong as its weakest component. However, humans are usually the weakest link, and unlike other elements of a network security system, humans cannot be easily switched out and replaced.

        In 2011, the U.S Department of Homeland Security ran a test to see how hard it was to compromise workers in order to gain access to an organization's computer systems. In the test, computer discs and USB thumb drives were dropped inUSB Flash Drive parking lots of government buildings and private contractors. Of the workers that picked them up, 60% plugged the devices into computers.  When official logos were printed on the devices, 90% of workers installed the drives and CDs. If these devices had malware on them, the likelihood is high that it would have infiltrated the network. 

        Education is essential in preventing data theft due to social engineering attacks. If the workers in the Homeland Security test were informed of the potential dangers of installing an unknown device on a company computer beforehand, the percentage of the devices installed would have been much less. The workers probably did not consider the device as a potential threat; they were most likely just curious as to whom the CD or USB drive belonged to.

Increased Social Media

        Businesses should also be aware what information they are releasing through verbal communication and social media. Social media allows social engineers to gain a treasure trove of information that can be used to obtain more valuable information. Hackers often research employee’s profiles for personal information which allows phishing attacks to be more successful. For example, if a hacker sees that an employee is a golf enthusiast, that hacker might send that employee an email containing malware disguised as promotion offering free tickets to a golfing event. The worker is more likely to forget or neglect security protocols when distracted by potential free tickets to one of their favorite activities.

        Companies should also write up an IT security policy that outlines the assets criminals are most likely to target and come up with protocols that will protect those assets. It is paramount to ensure that these policies are enforced otherwise they will be irrelevant.

        Employees should also be aware that a compromised work computer could also include personal information. This will give them a stake in security. IT policies should also cover what types of information are safe to share. Employees need to ask themselves when giving out information “Does this person deserve to know this information?”

Organizational Structure

        The cost associated with potential fines and data breaches is compelling banks to work together. Trade bodies like the Financial Service Information Sharing and Analysis Center with 5,500 members are being created with the sole purpose of sharing information about security threats. Companies are also hiring professionals from government agencies as well as contracting out network security entirely to private firms.

        The responsibility of network security cannot be completely exported to private firms. Companies should keep in mind that although private firms possess the efficacy to improve network security, their ability to ameliorate security is contingent on company employees following IT security policies.

        Effective cyber security involves executive leadership to create corporate strategy and policy, business management to develop actionable procedures and guidelines and system managers for implementation. Equally as important is the communication between departments the development of a feedback loop to assist in constant improvements. This loop will also allow executive leadership to determine if they should stay the course or to reevaluate their strategy. This cohesion of management allows network security to improve steadily and keep up with dynamic threats.

External Weaknesses to Network Security

        While seeking the easiest way to access a network, hackers will look for weak links in the supply chain. There are many ways that an organization’s supply chain can be compromised; the two most common ways are Adversarial Supply Chain Operations To (ASCO To) and Adversarial Supply Chain Operations Through (ASCO Through).

I.    ASCO To directly targets the organization whereas ASCO Through uses an organization’s supply chain as means to target one of its customers. These threats make it necessary for organizations to work together with all the vendors in their supply chain to preserve network integrity.

II.    Third party outsourcing is another vector where retail chains’ network security can be compromised. The 2013 Target Corp data breach where the personal information of 70 million customers was compromised is a perfect example of how an organization can be brought down by the actions of a third party service provider. The breach started with a phishing attack on a HVAC company that had access to Target’s external billing and project management portals. The attackers successfully installed key logging malware and made their way into Target’s system where they were able to infiltrate customer databases and POS systems.

        The breach was likely caused by a failure in the  free anti-malware software that the HVAC company was using.  This unfortunate event illuminates the necessity to vet network security systems of potential third party contractors. This event also demonstrates the usefulness of implementing a compartmentalized approach to data sharing. Did the HVAC company really need access to all the data in Target’s external billing and project management portals?

        To further avoid data breaches as a result of third party negligence, terms that allow the organization to audit the third party’s security systems should be set in place. This will help motivate third party contractors to keep security as a priority.

Retail Stores Are at Risk

        The large volume of transactions that retail stores experience makes them a prime target for cyber attacks. The bank account and credit card data that is created during these transactions can be used to defraud a large pool of people.
        One interesting factor regarding retail is that the success of retail companies is one of the major reasons why they are so susceptible to data breaches. Globalization has allowed for the
creation of impressive, multinational retail companies that rely heavily on information sharing to be successful. This has lead to networks designed with an emphasis on efficiently disseminating information instead of network security.

        It is essential for retailers to know exactly where customer data is being stored. Many times customer data is stored in multiple locations. It is crucial to determine how sensitive data is being accessed, handled, and secured. This can be challenging especially for retail companies that have the capability to look up customer information from any retail outlet.

        Retailers must also recognize that data at rest on laptops, and other mobile devices are vulnerable too. Encrypting all data that is at rest will mitigate the damage caused from losing a laptop.

        In addition, implementing traffic monitoring software will help to ensure that data encryption policies are being maintained.

Technology Initiatives

        Universities are at the forefront of cyber security developments which will protect organizations from cyber threats.    

        The migration to cloud storage and the access of that data from mobile platforms make sophisticated passwords a necessity. Carnegie Mellon University recognizes this, and has teamed up with Northrop Grumman Corporation to develop the next generation of passwords for mobile technology. Developments include password technologies that use sensors and rely on behavioral patterns. Sensors  on a device will be able to monitor user behavior, for example how a user picks up and handles a device. This kind of behavior is unique, making behavioral characteristics passwords highly secure and irreproducible.

        Carnegie Mellon is also developing biometrics  for secure authentication systems. Biometrics is being leveraged to measure and analyze the unique physical traits of individuals in order to determine clearance level for data access. The focus now is to improve image acquisition and image quality in iris and facial recognition authentication systems. 

        Many people will be wary of adopting new authentication systems if they demand more time than entering a conventional password. The development of robust segmentation algorithms will be necessary to reduce the amount of time needed for biometric readers to segment an iris image and determine if a user is entitled to security access.     
        Big data analytics  is becoming an essential tool in managing evolving cyber security threats. Organizations are now using big data analytics to gather and analyze massive amounts of data to gain insights, which can help predict and stop cyber attacks. Big data allows organizations to monitor abnormalities and suspicious behavior.  For example, an alert can be raised when a user attempts to access data that they normally would not access or if they attempt to access data at unusual times or locations.

        Artificial Intelligence  and machine learning are being used in tandem with big data analytics to increase network security. It is expected that these technologies will help to discover a least 25% of breaches by 2018. Machine learning is be using by some companies to detect behavior changes in employees. These changes in behavior can even be used to determine if an employee is getting ready to leave a company with sensitive data.


        Cyber criminals are more capable than ever of permeating network defenses. The days where companies invested minimally in network security is a vestige of the past. The development of administrative controls, as well as the collaboration between businesses and governments alike, will play a major role in the abatement of cyber crimes.  Federal and state R&D tax credits are available to help stimulate and support companies developing and implementing new cyber security technologies.

Article Citation List



Charles R Goulding Attorney/CPA, is the President of R&D Tax Savers.

Peter Saenz is a Tax Analyst with R&D Tax Savers.

Andrea Albanese is a Manager with R&D Tax Savers.

Similar Articles
The R&D Tax Credit Aspects of Blockchain for Supply Chains
The R&D Tax Credit Aspects of Physical Security Technology
The R&D Tax Credit Aspects of Driverless Cars
The R&D Tax Credit Aspects of SaaS Start-Ups
The R&D Tax Credit Aspects of Emotion-Recognition Technology
The R&D Tax Credit Aspects of AI in the Insurance Industry
The R&D Tax Credit Aspects of Emerging AV Trends
Enhanced R&D Tax Credits for Specialized Co-Shared Spaces
Ethereum's Impact on Digital Contracting Creates R&D Tax Credit Opportunities
The R&D Tax Credit Aspects of Geofencing
The R&D Tax Credit Aspects of Distribution Center Automation
The R&D Tax Credit Aspects of Law Firm Artificial Intelligence
The R&D Tax Credit Aspects of Avionics
The R&D Tax Credit Aspects of Telemedicine
Federal Government Provides Faster Approvals and Tax Credits for Consumer FinTech Products
The R&D Tax Credit Aspects of Voice-Activated Software
The R&D Tax Credit Aspects of Artificially Intelligent Hedge Funds
The R&D Tax Credit Aspects of LiDAR
The R&D Tax Credit Aspects of Educational Technology (EdTech)
The R&D Tax Credit Aspects of Cyber Security Start-Ups
The R&D Tax Credit Aspects of Construction Industry IoT
R&D Tax Credits Provide New Opportunities for Artificial Intelligence Start-ups
The R&D Tax Credit Aspects of NYC Start-Ups
The R&D Tax Credit Aspects of Virtual Reality Technology
The R&D Tax Credit Aspects of Water Analytics
The R&D Tax Aspects of Artificial Intelligence Robo-Advisors
The R&D Tax Credit Aspects of Natural Language Processing (NLP) Innovation
The R&D Tax Credit Aspects of Video Compression Technology
The R&D Tax Credit Aspects of Automated Coding
The R&D Tax Credit Aspects of Payment Technology
The R&D Tax Credit Aspects of Restaurant Technology
R&D Tax Credits and the Second Wave of Cloud Adoption
The R&D Tax Aspects of Data Storage Startups
The R&D Tax Credit Aspects of Mobile Applications
R&D Tax Credits for the Modern Insurance Industry
The R&D Tax Credit Aspects of the Internet of DNA
The R&D Tax Credit Aspects of Modern Dental Labs
The R&D Tax Credit Aspects of IoT Communication
The R&D Tax Credit Aspects of Bitcoin and Blockchain Technology
The R&D Tax Aspects of Near Field Communication
The R&D Tax Aspects of the New FDA Mobile Apps Requirements
Tapping the Power of Big Data and R&D Tax Credits for Utility Companies
The R&D Tax Credit Aspects of the Medical Software Industry
The R&D Tax Aspects of Computer Enabled Human Identification
The R&D Tax Credit Aspects of New York City's Engineering Education and Googlization
The R&D Tax Credit Aspects of Software Modeling Analytics
The R&D Tax Aspects of Cameras of the 21st Century
The R&D Tax Credit Aspects of Network Security
R&D Tax Aspects of DNA Identification
R&D Tax Credit Aspects of Cyber Security and Homeland Protection
Financial Product Trading Platform Artificial Intelligence R&D Tax Credits
The Internet of Things Creates R&D Tax Credit Opportunity
The R&D Tax Credit Aspects of Mobile Banking Applications
The R&D Tax Credit Aspects of In-Image Advertising
R&D Tax Credits for Hybrid Call Centers - Airline, Hotel, and Car Rental Industries
The R&D Tax Aspects of Advertising Science
The R&D Tax Aspects of Data Science
R&D Tax Aspects of Radio Frequency Identification
The R&D Tax Aspects of Advanced Driver Assist Systems
The R&D Tax Aspects of the Internet of Residential Things
The R&D Tax Aspects of Web Television
R&D Tax Credit Aspects of Medical Robotics
R&D Tax Credit Aspects of Industrial Robotics
R&D Tax Credit Aspects of Service Robotics
Yes Alice, Patents and R&D Tax Credits Remain Available for the Internet of Things!
How Salesmen Can Use R&D Tax Credits to Sell Today's Software Products Engagements
The R&D Tax Aspects of Cloud Computing
The R&D Tax Credit Aspects of Hybrid Call Centers for Health Insurers
The R&D Tax Aspects of Robot Software
The R&D Tax Aspects of Machine-to-Machine (M2M) Innovation
The R&D Tax Aspects of Financial Technology Services
Beacons Create R&D Tax Credit Opportunity
The R&D Tax Credit Aspects of Retail Technology
The R&D Tax Credit Aspects of Improving Virtual Reality Technology
Now Every Business is a Software Business
Gig City Startups and R&D Tax Credits
The R&D Tax Credit Opportunities for Mobile Devices
The R&D Tax Credit Aspects of Wearable Technology
The R&D Tax Aspects of Big Data
R&D Tax Credit Fundamentals
Los Angeles Tech Boom Creates Large R&D Tax Incentive Opportunities
The R&D Tax Aspects of Software Development