The world’s CIOs, CSOs and CISOs are focused on preventing the next big cyber-attack. The international cyber security community is more interested in the lack of action some companies are taking to reach that goal.
After the Ticketmaster, Marriott and Equifax breaches, senior executives have come to understand the financial and reputational implications of a poor cyber security strategy. But you don’t hear about all the hacking attempts that were stopped, which gives leadership pause when it comes to investing in new tools, policies and frameworks.
“If the organisation hasn’t been breached, why do we need to invest any more capital in cyber security?” It’s an all too common question that’s serving as an easy out to keep IT budgets relatively slim or reduce spending. At the turn of the new decade though, it’s an excuse that won’t hold any weight.
How can a budget be a cyber-threat?
A cyber-threat is almost never an active attack, unlike what the movies would lead some to believe. It’s a passive campaign that involves exploiting a vulnerability and completing some sort of action that damages the company down the line, either intentionally or not. This makes it difficult for non-technical stakeholders to envision how cyber-attacks work and are stopped.
IT budgets function as a similar type of cyber-threat. While they aren’t actively hurting or holding back an enterprise cyber security strategy, failing to raise the budget or modernise the tools can undermine a security team’s efforts. Over time this can have a far-reaching impact on the security and reputation of the company.
For the most part, businesses get it. Four in every five companies plan on raising the amount they spend on security in 2019, 451 Research found. But that still leaves one out of every five that isn’t increasing the amount of money they spend on securing its data.
Keeping the budget the same would be fine if the threat landscape were static, but we all know it’s very much a dynamic playing field. It’s ever-evolving nature leads to a frightening number of companies that don’t have the ability to stave off a cyber-attack. In Ireland for example, nearly two in every three businesses don’t feel confident that they’re prepared for the emerging threat landscape, according to research from DataSolutions.
With hackers’ tactics, techniques and procedures changing nearly daily, companies that sit on their hands when it comes to IT budgets will only find themselves playing catch up as cybercriminals innovate their approaches. We’re now beginning to see the impact of a general inability to combat these trends – whether through a lack of budget or understanding – as the number of data breaches continues to rise every year.
Increasing the budget is only the first step towards better cyber security
Getting over the hump of convincing C-level executives to fund a better cyber security strategy is only half of the challenge. The other half is figuring out how to spend it.
When it comes to the size of the budget itself, many will turn to peers or competitors to get some sort of understanding of what a small or large budget looks like. Unfortunately, they often fail to take into account one of the core principles of enterprise cyber security; each company’s strategy is unique.
Copying other organisations can create a cycle where a business understands its security measures are over-matched, it spends as much as is necessary to catch up, then a security incident takes place as those solutions are outpaced by the threat landscape and the company is left back at square one.
Cyber security isn’t where an enterprise should shop for bargains. The average data breach in 2018 cost a company $3.86 million to remediate, according to The Ponemon Institute’s 2018 Cost of a Data Breach Study. Instead of shopping for the newest solutions or purchasing what the industry leaders have, build a strategy from the ground up to understand where the gaps truly are.
Cyber risk and assurance engagements are ideal for figuring out where an IT budget is best used when it comes to cyber security. By conducting a gap analysis, assessing the organisation’s cyber security maturity and identifying potential threats, companies can be confident that they’re spending the budget in areas that will produce the maximum impact for data security.
At the end of the day, expanding or downsizing budgets while figuring out where they’re most effectively spent is a balancing act – one that’s unique to each individual company. That’s part of what makes a budget the most challenging cyber-threat to manage.
A business can overspend and still have gaps, or it could spend well below the industry average and have solid protection from the latest cyber-attack trends. However, it’s universally agreed that the worst thing a company could do is ignore its digital infrastructure altogether.
Interested in speaking to one of our experts regarding your cyber security budget? Contact an Integrity360 representative today to learn more.