How to Budget Cybersecurity Spending At Your Firm
Businesses understand today that poor cybersecurity protocols and a limted IT budget for proper systems are not just a security risk, but a financial and reputational risk which can cost firms greatly whether through a data breach or ransomware. As a result, global cybersecurity spending is set to reach new highs in 2017, with global spending on informational security to reach $90 billion in 2017 and $113 billion by 2020.
But while cybersecurity is important, not every business or nonprofit can afford to just throw gobs of money at cybersecurity given their other priorities. While accountants and financial professionals should emphasize the importance of cybersecurity spending, it is better to spend smart rather than spend a lot. An organization can take cost-effective, smart approaches, ensure reasonable security, and prevent their books from being crippled by spending on IT.
Here are certain things to consider and ways that businesses can effectively spend on cybersecurity.
People may view cybersecurity as some complicated morass of technology, but all security measures begin and end with people. If a business’s employees are helping out Nigerian princes and making their password “password,” cybercriminals will break in no matter what management decides.
Training for cybersecurity should thus become a major priority, especially because educational classes are much cheaper compared to upgrading IT infrastructure. Training should consist of informing employees of potential cybersecurity threats such as phishing, making clear what employees are expected to do in the case of an attack, and conducting drills to help prepare them.
Remember that as cybersecurity threats are constantly evolving, training needs to be updated to reflect those threats. Develop your own message which emphasizes the importance of being prepared, and your firm will make huge progress towards being secure at a low cost.
Constant Risk Awareness
While every business knows that training is important, they also know that too many employees sit in a training class and pay little attention to the instructor’s words. That happens because businesses do not make an effort to let employees use the knowledge gained by the training outside of the classroom, letting it decay. This is especially true with cybersecurity.
Businesses should show their commitment towards creating an atmosphere where everyone understands the importance of cybersecurity by implementing simple, cheap, yet effective steps. Mandate the use of strong passwords and two-factor authentication. Provide workers only with the minimum level of informational privilege they need. Make everyone, even executives, subject to new security rules so that you are all on the same boat. In fact, executives should be subject to stricter rules as they are juicier targets.
Some workers will chafe at these new rules and continue to use unsecure methods because it is easier. But through a system of constant vigilance, businesses can promote an atmosphere where everyone understands the importance of security. That atmosphere is just as necessary to create a safe company as any technological upgrade.
What needs to be protected?
Businesses and accountancies should not be asking themselves how much they are spending on cybersecurity. They should be asking themselves what they need to protect and how protected it is. Cybersecurity is fundamentally about risk management, which means identifying what sections of a business would cause the most damage if compromised.
Once those parts are identified, a business can draft a new security policy which emphasizes protecting certain sections using VPN providers and establishes what employees are not allowed to do. This policy can save money by identifying junk legacy programs which should be scrapped and ensuring that your company only purchases the cybersecurity upgrades it needs going forward. Without a risk assessment policy, companies will often pursue whatever cybersecurity upgrade is trendy without thinking about exactly how it will protect their assets.
Test your Systems
With a security policy, you can know which areas of your business have the highest protection priority. But that is not the same thing as knowing which areas of your business are actually the most vulnerable, and hackers can sometimes use those more vulnerable areas as backdoor into the rest of your company. In order to assess your organization’s weak points, security testing is necessary.
Ideally, your organization has someone with the tech expertise to carry out a proper penetration test without accidentally causing an actual crash or other improper results. But most businesses do not and thus turn to third-party automated penetration testing software like Metasploit which can cost thousands of dollars per year. Such costs can turn off companies from the idea of security testing, leaving themselves vulnerable.
The good news is that there are free open source security testing tools out there such as Zed Attack Proxy or Vega. By conducting a preliminary test for free, businesses can discover initial exploits which can be fixed without spending thousands on penetration testing. Nevertheless, businesses should still consider purchasing the more expensive software eventually.
Cost accountant with major focus in SAP/General Fund Enterprise Business System (GFEBS). Also, main functional inspector for accounting/finance audits for internal reviews as well as the Statement of Budgetary Resources audit initiative.