In an ideal world, we would all have unlimited funds to spend on defending our businesses against cyber threats but sadly, although improved, the mentality surrounding cybersecurity is still that it is a low priority, particularly among small-medium sized enterprises. This is largely due to the misguided assumption that their size makes them insignificant to hackers and an attack is so unlikely that there is no need to waste valuable funds on robust security solutions. But small businesses still hold sensitive data that hackers will seek out and often they are used to access a wider supply chain, as we’ve seen with major supply chain attacks like that of Target, in 2013.
This is why establishing a cybersecurity budget is essential for any business and a crucial job for IT leaders is to work out how to spend that budget in a way that best serves the business and offers it sufficient protection. Getting this task right can be challenging, especially with threats evolving daily, but the best approach is first establishing where your unique risks lie as an organisation and focusing your budget here.
So how do you assess this risk and quantify it?
To understand your risk areas, you’ll want a comprehensive overview of your current situation – what data is there, where is it located and who has access to it? Classifying data into groups and identifying how sensitive it is will ensure your budget goes towards protecting the biggest sources of vulnerability. For more quantitative data, you can work out the probability of an attack and what the business losses would be as a result of it. Financial losses can occur due to operational downtime, loss in sales, repairing reputational damage or even legal and regulatory fines. Once you’ve established what the business impact would be for each bit of data if compromised, you’ll have a clearer idea of how to apply your budget. This quantitative data can also be very helpful when looking to secure your cybersecurity budget from the C-Suite and other stakeholders in the first place, as you can demonstrate what level of investment would be optimal for the company.
Your organisation’s risk exposure will largely guide the way with your budget spend, but it’s important to also have an understanding of the general threat landscape as there are usually common trends and threats on the rise at any given time. For example, 2021 saw a massive 105% surge in ransomware attacks, so a focus on malware protection would have been logical when distributing your security spend. CISOs and IT leaders can also look to industry frameworks like NIST, Cyber Essentials or ISO, which provide clear models for good cybersecurity and allow businesses to identify their gaps and weaknesses. This can be an effective place to start for businesses needing firmer security foundations and a bit more direction as they shape their priorities.
There are arguably key aspects of security that there will always be a need for as evidence continually points to these being critical areas of vulnerability for companies, and as such they should be included in every budget. Unpatched devices are regularly exploited by hackers, so investing in a good patch management solution is likely a wise spending decision. Similarly, with human error still the number one cause for cyber attacks, security awareness training is another sensible investment for businesses. If employees can identify key threats and understand security best practices, the risk that they will unwittingly facilitate a cyber incident can be largely reduced.
Of course, not everything has to cost money. Building this culture of cybersecurity awareness in the workplace can be as simple as encouraging your workforce to report suspicious activity, be wary of phishing links and, wherever possible, confirm any big payments to avoid fraud – all this can reduce a lot of risk and potential damage for your business. With credential leaks often a big part to play in cyber breaches, good password health is also crucial and doesn’t need to cost a lot. Creating a password policy to guide employees, enabling multi factor authentication on devices and applications and using a password manager (there are many free options available) are all things that can benefit your security strategy.
There is no perfect solution for spending your budget effectively but being smart with your approach and considering all angles with key business goals in mind will set you on the right course. A thorough risk assessment and identification of all your company assets can give you the bird’s eye view you need to help determine your priorities, but keeping an eye on current trends and threats should also inform your spending decisions. As your business and the threat landscape changes, regular monitoring and reevaluation will be necessary so you are always spending in line with business requirements, and of course if you are the unfortunate victim of an attack, it can be treated as a learning opportunity. Reflecting on causes and investing in solutions to address them so an attack doesn’t happen again is at least one positive outcome of any incident.