How to Spend Your Cybersecurity Dollar

How much is enough when it comes to spending on Cybersecurity? And if you need greater protection, where should you invest next – in new tools, better training, or in a myriad of other options? Naturally, the answer will be different for every organisation, and the goalposts will forever be moving. It can be an overwhelming task, but here are some simple guidelines to help you get the balance right.

New Cybersecurity Choices

Even though organisations are spending more on cybersecurity than ever, the growth continues to accelerate. According to IDC, worldwide cybersecurity spending is expected to grow by 9.4% in 2019. Which means security is carving more and more out of IT budgets.

One reason behind this growth is the evolution of high-cost enterprise services into more affordable and manageable offerings for mid-sized organisations. An example is the adoption of Multi-Faction Authentication (MFA) through common applications such as Office 365. The easy availability of advanced security functionality now extends to Security Operations Centres, Endpoint Encryption, Data Leakage Protection, Continuous Vulnerability Scanning, Dark Web Monitoring, Identity Theft Protection and more.

The only question is do you really need them?

The 3 key factors in determining your Cybersecurity needs

When you are assessing your cybersecurity spending, it is important to consider these three factors:

These key factors should shape your cybersecurity spending decisions.

IT environment

Before you invest in all the latest software and tools, it’s essential that you already have a healthy IT environment. That doesn’t mean using the newest AV and firewall. It means ensuring all of your IT basics are in place. If your Remote Desktop ports are open to the world, no amount of security software will stop the bots finding wide-open holes in your network. Simple measures such as ensuring your software is current and patched, and any on-site servers are physically protected, can often be overlooked.

A healthy environment also means one that can recover quickly. Recently we spoke with a crypto-locked business that was losing a six-figure sum daily from lost website orders. It highlighted the importance of ensuring there is a fully tested disaster recovery plan in place. Don’t be one of the 40% of organisations, according to a survey by CIO Insight, without a documented plan to get back up and running fast.

Your People

The most common threat today is not from a virus. Instead, it’s much more likely that human error will play a key role in creating a security incident. Whether it’s clicking on a link or mismanaging password details, your staff are in the front line. To assist your staff, ‘must-haves’ today should include MFA, mail and website filtering and cybersecurity awareness training.

MFA is so valuable because it prevents many of the most common causes of breaches through the loss of credentials. Enabling you to greatly reduce threats posed by most phishing campaigns, fake websites, and sale of personal details on the dark by a simple text message to a private phone containing a code to access to your systems. MFA is not a fail-safe, but it’s a great place to start.

Many would argue that staff cybersecurity training should not be an IT cost at all. Rather it should be part of the normal HR on-boarding and on-going staff education. Just as new employees need education on company policies e.g. equipment fair use, so do they require training on company cybersecurity policies and procedures. While paying for regular staff training from specialists is ideal, a vast amount of free or low-cost education is also available from security vendors and training organisations.

Type of Business

Perhaps the biggest influence in Cybersecurity priorities is your industry and the customers you deal with. Especially if they involve Government contracts or include industries such as finance and healthcare. Some businesses need to have Cybersecurity baked into their processes because they are required to follow ISO 27001. While others must comply with the ASD Essential 8 to work with their customers.

The type of data you collect should greatly affect your security choices. A law firm with highly sensitive client data might require more advanced security measures, such as data leakage protection. Whereas a construction firm that works on residential properties with less client confidential information may not.

The amount of remote work can also determine the recommended security measures. An accounting firm may have a lot of sensitive data, but their staff may mostly work internally, so data encryption may not be such a high priority. However, an organisation with many sales reps with laptops, who often use public transport, may have a higher need for data encryption and to remotely wipe a lost device.

Next Steps

So now you have considered these three key factors influencing your cybersecurity and identified areas for improvement, where do you go from here? While it is important to consider what new security investments your organisation may need, don’t overlook the tools you already have. We mentioned earlier that Office 365 now includes MFA, but have you enabled it? Review the settings on your existing security tools or have an expert do it for you.

If your organisation does have compliance requirements or sensitive information potentially at risk, the next step may be to arrange an independent security assessment. Have them review your staff and security environment, and provide you with a prioritised set of recommendations.

Ensuring you have the right level of cybersecurity doesn’t have to cost a lot. It’s certainly less expensive than remediation.