Finally, you’ve been awarded that cyber security budget you’ve lobbied hard for, but where do you spend it? Like any budget, it’s important to choose the areas that will deliver the most ‘bang for your buck’. A careful analysis of what’s happening in the cyber security landscape will help in making the correct security spending decision.
Here is MetaCompliance’s guide to where to spend your cyber security budget.
Where to Spend your Cyber Security Budget
Budgets have been tight, according to a report from McKinsey, but in 2021, 70% of CISOs intend to ask for significant increases in their cyber security budget. Cyber-attacks across all size companies and in all sectors are driving a need to batten down the hatches and harden our IT systems against hackers. MetaCompliance has looked at five key areas that are worthy of a hard-won cyber security budget:
1. Security Awareness Training and Phishing Training
Prevention is less expensive than a cure when it comes to the damage that cyber-attacks can cause. Take ransomware as a case in point. The Sophos report “State of Ransomware 2021” found the cost of remediation from a ransomware attack has doubled in the last 12-months to, on average, $1.85 million.
Ransomware is often delivered via phishing emails. A 2021 report from Egress concurs in highlighting that 95% of IT leaders believe that data is at risk from the email channel. The report also notes that 83% of organisations suffered a data breach via email in the last 12-months, with 24% of breaches caused by an employee sharing data in error. The human in the machine is a risk point that must be urgently addressed.
Training employees across the organisation on cyber security matters, including privacy considerations, is a fundamental step in reducing cyber security risk. Security Awareness Training can be tailored to fit your company profile. Employees falling for phishing bait can also be tackled using specialist anti-phishing training programs that teach employees how to think before they click on a malicious attachment or link.
2. Governance, Risk, and Compliance
Data protection regulations are stringent and compliance with those regulations requires heavy time and resource costs. The regulations often need specialist help to ensure that the requirements are met correctly. The impact of non-compliance is costly, not just in terms of onerous fines but in lost customer trust and reputation damage.
Help from specialist firms with the skills to assess your compliance needs can make this process easier. Compliance consultants can make sure that your organisation meets regulations and standards and help your organisation to address any gaps in the compliance requirements.
3. Security Tools and Measures
Having the right security tools in place is an essential budget spend area. But should you outsource security management or deploy and maintain those measures in-house? The answer depends on your level of skill in using modern security measures, some of which are smart and can require specialist knowledge to configure and interpret.
Another consideration is what type of security measure to spend the budget on. This decision is dependent on your industry sector and other considerations such as remote work needs and interactions with third-parties and consumer data. But as a rule of thumb, cyber security budget spend in the following areas should be considered:
- Identity and Access Management (IAM): Credential theft and credential stuffing (where fraudsters attempt to break into accounts using stolen credentials) are a major cyber security problem. Stolen credentials allow fraudsters to steal large amounts of data. Credential compromise is behind 61% of breaches according to the Verizon Data breach Investigations Report.
- Zero Trust Security: The principle of “never trust, always verify” is behind the use of Zero Trust approach to security.
- Endpoint security: Remote working has seen the number of endpoints, such as mobile devices, soar. Each endpoint is a potential gateway into a network.
- Application security: 72% of organisations have suffered a breach because of an application security vulnerability.
- Cloud security: A Gartner Inc., report, found that by 2025, 99% of cloud security failures will be the customer’s fault. Garter recommends using governance policies and monitoring to de-risk this area.
4. Cyber Insurance
If the worst happens and your organisation is infected with ransomware, or your employee is spear-phished and your customer database is hacked, and so on, cyber insurance can help alleviate some of the pain. Cyber insurance typically covers losses from IT system damage and loss of information from IT systems and networks. Costs of cyber insurance vary, but some insurers offer reduced premiums if your organisation can show you have certain security measures in place, such as:
- Cyber Security Awareness Training
- Compliance with industry data security and privacy standards, such as ISO 27001
- Regular penetration testing of your IT systems and networks
5. Measurements and KPIs (Key Performance Indicators)
Being able to measure the effectiveness of your security measures is a great way to justify your spending choices, or to modify future cyber security budgets. Security metrics provide insights into how effective your security posture is, including if your compliance measures are working. These metrics offer a quantitative way to show management and board members how a data security program is working. These metrics can also play a part in documenting the company’s approach to data protection in line with regulatory requirements. Analysis of KPIs and key risk indicators (KRIs) provides a view of your team and security position so that you can optimise measures and approaches.
There are several key KPIs that can be measured, some examples that measure threat metrics include:
- Security incidents
- Mean Time to Detect (MTTD)
- Mean Time to Resolve (MTTR)
Spend, Spend, Spend on Cyber Security
With security spending expected to top $1 trillion globally by 2025, optimising your cyber security budget is vital to prevent waste. You may already have experience of where your organisation is at most risk but keep researching the security landscape as it changes. By having a good knowledge of what’s happening across the sector and what type of help is available to mitigate cyber risk, you can make sure that your agreed budget gives you value for money.