Last year, I wrote about the three most important things businesses need to do to protect themselves against cyber threats. In this blog post I’m going to discuss how to develop a cyber security budget in an economy that is leaving many departments’ budgets somewhat barren. A budget that doesn’t break the bank and gives enough flexibility to provide your business with sustainable protection from cyber threats.
Two of the most common questions I’m asked are “how much should I spend on cyber security” and “what percentage of my IT budget should I spend on cyber security”? My answer – it varies, there is no one-size-fits-all answer I can give you. There are many variables that influence how much organisations should spend on cyber security, e.g. how many, and what types of devices are your employees using to share information; corporate structure; and how well informed are your employees about cybersecurity threats and how to prevent them?
Clouds rain data
Advances in technology have fundamentally changed how we live and work and as a result a huge proportion of employees across most industries now have company data stored and exchanged via personal devices, predominantly smartphones. While continuing advances in technology – such as cloud computing – are increasing productivity in the workplace, they are also increasing vulnerability to attack.
Inefficient cloud security makes for an easy entry point into your business data, furthermore, cloud-based technology is fundamentally different to e.g. viral entry points. This means that cloud-based services require specific security systems capable of integrating with other systems, and these should have their own budget. How much? Again, no one answer – it depends on how much of your business data is cloud-based.
Some companies are management heavy, some are coal face heavy and this will affect how much you need to spend on cyber security. Typically, management layers will have more access to company data than coal face employees, therefore, the more top-heave an organisation, the more you will need to spend on cyber security, especially if you capture, store, and share personal data which is subject to compliance with the General Data Protection Regulation (GDPR). Again, the exact amount will vary depending on the devices and methods data is stored and shared, and also the number of employees who have access to such data.
Every single employee in your organisation forms part of your first line of defence against cyber threats. I cannot stress how important it is to educate all employees about cyber security threats, how to identify them, and what to do if there is a suspected attack. If your employees’ baseline knowledge is low you will need to spend more on education, but even if the level of knowledge is high, investment is still required in order to make sure new employees meet the standard of knowledge expected within your organisation and that all employees’ knowledge is up-to-date because cyber threats never stop evolving as criminals find new ways to feed their treasure troves.
How to evaluate and plan your cyber security budget
Luckily, it’s never the wrong time to evaluate and refine your cyber security budget. Even if you have just rolled out a set of new systems, you can put in place procedures and processes that monitor the effectiveness of those systems and should you identify any weaknesses – start planning how to resolve the issue in the short- and long-term. This could be going back to the supplier, finding an in-house solution, or gaining external, independent support. If you’re mid-evaluation of your systems, it’s a good idea to plan to spend a bit on external advice as it’s easy to miss things when you live and breathe the functionality. Finally, if your systems have been in place for years and you’re reading this blog post and alarm bells are ringing, contact us to find out more about how Advanced Cyber Intelligence can help your business maximise its defenses against cybercrime.