Breach, Security Strategy, Plan, Budget

Four ways to maximize a cybersecurity budget

Cybersecurity budget

The steady rise in cyberthreats should have businesses worldwide on edge. 

Global cyberattacks surged 42% in the first half of 2022 compared to 2021, per Check Point research. Attacks grew by 28% in the third quarter alone when weighed against the same period last year. All of this translates to one thing: financial damage — and lots of it.

In 2021, the global average cost of a data breach was $4.24 million. A year later, that number grew to $4.35 million, per IBM’s latest cost of a data breach report. It’s even worse in the United States, where the cost more than doubled at $9.44 million.

Given the current rate — and increasing complexity — of cyberattacks, these numbers will likely continue to grow. The total cost of global cybercrime could hit $10.5 trillion by 2025. And that’s why businesses will collectively spend an estimated $188.3 billion on cybersecurity in 2023 — with global spend topping $260 billion by 2026, according to Gartner.

Yet, while organizations are willing to put greater resources into enhancing their overall security posture, they must make sure they’re spending those dollars wisely. All the money in the world won’t reduce risk if it’s invested in the wrong areas. Here’s what companies can do to maximize their cybersecurity budget and ensure they’re getting the best bang for their buck:

  • Take the time to identify what to protect.

Before a security team can begin planning its budget, they must first know what they need to protect. This can include everything from systems, data, assets, capabilities, and even people.

Many organizations don’t know what they don’t know, therefore, consider working with a consulting firm to help identify current gaps. They can assist with business impact analysis (BIA) and risk management strategies, as well as asset discovery, vulnerability assessments, and penetration testing exercises.

This will help the company identify critical areas which must have protection , as well as areas more tolerant to risk that the  business may be willing to accept, allowing the team to better focus their security budget around the areas which need it most. Using this information the team can then plan out its strategy to harden the company’s security posture, including an analysis around what components the internal team has the time and expertise to handle in-house versus where it makes sense to  leverage the expertise of a managed service provider (MSP).

Of course, even with the most robust protection in place it’s, only a matter of time before someone breaches the network. From zero-day exploits and software/hardware vulnerabilities like SolarWinds and Log4j to human error around phishing and social engineering attempts, companies must quickly detect and respond to security breaches.

  • Implement methods to detect and respond.

Here’s where a managed detection and response (MDR) service comes into play. An MDR service serves to quickly detect and respond  to an intruder so the organization can mitigate the impact of a security breach.

If the business has a small security staff that lacks the process or technology to continuously monitor events on a 24x7 basis, a great way to maximize security budget is by leveraging an MSP for MDR services. It’s generally much more cost-effective than staffing an in-house 24x7 security operations center (SOC) and extending the requisite capital expenditure for supporting tools and technology.

When choosing an MDR provider, look for a platform that includes people, process, and technology. It should have sophisticated systems incorporating machine learning, artificial intelligence (AI) and user-behavior analytics, as well as security analysts who can put human intelligence behind it. Look for a platform that can support the company’s entire IT estate, from on-premise data centers to hyperscale public cloud platforms, along with remote user endpoints.

Unfortunately, even with the most robust mechanisms to protect, detect and respond in place, bad actors can still get in and lock out company users with ransomware. So make sure there’s a plan to recover your data.

  • Have a tested cyber-recovery plan in place.

Cyber security and disaster recovery go hand in hand. Any money spent on disaster recovery (DR) is money spent on security and protecting company data data should be a top priority. If a hacker can delete or encrypt backups, expect a hefty ransom demand, up to hundreds of thousands of dollars or more  —  and don’t expect that the company will get all its data back either. According to the Sophos 2022 state of Ransomware report, only 4% of their respondents who paid the ransom demand got all of their data back.    

To protect against costs for ransomware payouts and resulting increases in cyber insurance premiums, any organization that wants to continue doing business long-term must allocate budget for a regularly tested disaster recovery (DR) plan. To maximize DR budget consider a third-party DR provider that can tier recovery based on RPO/RTO and spin up compute resources on-the-fly only during a test or disaster.

  • Regularly educate and train employees.

Keep in mind that workers are among the biggest threats to an organization’s security. According to Verizon’s 2022 Data Breach Investigations Report, 82% of breaches stemmed from the “human element,” such as “social attacks, error, and misuse.”

Imagine spending tens of thousands — even hundreds of thousands — of dollars on security tools, technologies, and automations, only to have it all undermined by a single employee. Unfortunately, it happens.

Make sure to invest time and money into training employees. Educate them on the types of tactics hackers are using, the ways they’re commonly deploying social engineering attacks — whether that’s phishing emails, spear phishing, or even cold calls — and how to identify them.

Put these lessons into practice as well. Implement regular compliance and security training for all employees – and make it mandatory. Send out real-world phishing emails and see if someone bites. All these strategies will reinforce the learning and, hopefully, help prevent employees from falling victim to an attack and putting the whole company at risk.

Sophos’ 2023 Threat Report reveals that “the cybersecurity landscape has reached a new level of commercialization and convenience for would-be attackers, with nearly all barriers-to-entry for committing cybercrime removed through the expansion of cybercrime-as-a-service.” Additionally, ransomware continues on as a major threat to enterprises, and the demand for stolen credentials only gets stronger.

If organizations want to avoid falling victim to these criminals, they must invest their resources strategically towards identifying what to protect, as well as managed detection and response, cyber recovery, and employee training. Anything else, and they risk throwing money down the drain and leaving the organization susceptible to potential financial ruin and reputational damage.

Matthew Parsons, director, network and security product management, 11:11 Systems

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.