As we approach the end of 2018, it’s time to start thinking about the year ahead and with that comes budgeting. While budgeting for everyday line items such as marketing, salaries, and office supplies can come easy, budgeting for cybersecurity can be quite intimidating. What products do we need? Should we outsource or keep it in-house? What’s going to be the biggest cyber-threat in 2019? Although we can’t answer these questions for every business out there, we can provide a general guide on items that should help you budget for cybersecurity in 2019.
Cybersecurity Statistics to Consider
If you haven’t had a budget for cybersecurity in the past, 2019 is certainly a good time to start. These statistics from Prey Nation can help us consider the threats our businesses face on a daily basis and help you realize the importance of budgeting for cybersecurity.
- If you think your business is too small to attract hackers, think again. Forty-three percent of cyber attacks are aimed at small businesses.
- 230,000 – the number of new malware samples that are produced every day. This number is only expected to grow in the future.
- It’s estimated that there will be a ransomware attack on businesses every 14 seconds by the end of 2019, up from every 40 seconds in 2016.
- Email – 91 percent of cyber attacks begin with a phishing email, which is commonly used to infect organizations with ransomware.
- Seventy-six percent of businesses reported being a victim of a phishing attack over the last year.
- The average cost of a successful cyber attack is $5 million.
Now that we have your attention, let’s tackle the bear that is budgeting for cybersecurity. Before we dive in, however, we must note that simply throwing more money at your IT team and expecting better results is the biggest mistake you can make, aside from not giving them a budget at all. Instead, ask yourself about your level of readiness. Readiness is not about how much you spend on controls, but how good your controls are at defending your organization. Do you have the level of readiness you want? If not, do you need to spend more to get there?
Once you understand the correlation between your readiness and what you’re spending on cybersecurity, you can begin discussing the performance you’re getting for the price you’re paying. Can you spend less on other tools or outsourcing and maintain the same level of security? During this discussion, you can also assess products you are no longer using. Security products are rarely retired. Instead, they are usually added to and built upon, causing an unnecessary build up of products.
“Look for products that you aren’t getting current value from, and were implanted under murky circumstances or justifications,” commented Daniel Kennedy, a research director at 451 Research. “An auditor who is no longer around insisted on it, a champion of that project or vendor has moved on, etcetera – or where a different product you have in place is creating the same value.”
Once you have determined what products add value to your business’s cybersecurity platform, determine specific line items you want to increase within your overall cybersecurity budget. This is where special consideration and careful planning is going to be especially important. Line items such as threat monitoring, vulnerability assessment, security tools, security upgrades, and continuous improvement should exist. Depending on your current income statement and whether or not you already have an employee training line item, consider adding a specific line item within your cybersecurity budget for cybersecurity training. As we have mentioned several times, employees are going to be the weakest link in your cybersecurity chain.
You have now considered what products you no longer need, whether you need to add additional protection, and the training you’re going to provide for your employees. What about emerging threats? Constant improvements in cybersecurity technology are often matched or exceeded by rapidly advancing cyber threats. While remaining educated on the latest cyber threats is the first step in improving your readiness, additional products may need to be implemented to keep your company safe. Consider budgeting for unexpected threats that may arise through an “Other” line item. Consider this an “insurance fund” for your cybersecurity team and carefully monitor the spending throughout the year. That way, you can determine whether this fund needs to be increased or decreased in the coming years.
By properly budgeting for cybersecurity and providing your IT team with the necessary resources, you can ensure your business is ready to battle whatever cybersecurity risks the new year brings.
Photo courtesy of CSOonline.com