Budgeting for Cybersecurity

From startups to large enterprises, every business benefits from cybersecurity defenses. A data breach or cyber attack can harm a company's credibility, directly affect their customers or employees, and potentially shut them down.

To make matters worse, cybersecurity threats are only increasing. Sixty-eight percent of small businesses faced a cyberattack in the last 12 months. At the same time, only 5% of a company's files are properly safeguarded, and 95% of breaches are caused by human error.

The fact is that most, if not all businesses, have potential vulnerabilities.

Cybersecurity is the system of processes and technology that protect critical business operations and sensitive data from an array of vulnerabilities. The goal of any cybersecurity framework is to reduce the likelihood of both technical attacks and human error.

How to budget for cybersecurity measures 

Cybersecurity is largely a spending battle.

A study from Deloitte determined that financial services reserve just 10% of their IT budget on cybersecurity. While this is a good number to start with, what companies should really spend depends on the type of sensitive data they come into contact with.

For example, a startup that outsources its payment data collection and storage to a third party and in no way touches the data may need to spend less on network security or cybersecurity infrastructure.

To determine how much you should invest in your cybersecurity framework, it can be helpful to ask the following questions:

• What type of sensitive data does your firm deal with, if any?
• What are the risks of storing that data?
• How connected is your business network to external networks?
• What type of phishing or malware attacks should employees be aware of?
• How are roles and permissions on computers and files implemented?
• Are former employees properly offboarded after leaving the organization?
• What is the estimated cost of a cyber breach?
• Are there any compliance requirements or regulations your organization needs to adhere to?

It can also help to visualize the cost of cybersecurity risk and potential types of attacks. For example, the average cost of a data breach is $3.92 million. Cybercriminals don't just steal money. Other costs associated with a cyber attack include:

• System repair
• Compliance fines
• Legal fees
• Public relations spending
• Notification of affected parties
• Identity theft repair
• Insurance increases
• Business downtime
• Loss of long-term trust
• Loss of customers

Furthermore, a data breach isn't always intentional. Sensitive information can be shared by accident through technical error, such as an employee having incorrect permissions.

For these reasons, a cybersecurity program often includes both technology and training as well as compliance costs.

How to build an efficient cybersecurity program

There are three basic options when it comes to cybersecurity.

First, a company can choose to do everything in-house. This means that a company has complete control over its network security, critical infrastructure, and sensitive information. However, this option comes with a high price tag. Hiring full-time cybersecurity professionals and developers, designing unique infrastructure, and regularly reviewing compliance requirements is time-consuming and expensive. Furthermore, a company focused on another industry, such as retail, shouldn't be investing critical assets in another field.

Second, an organization can decide to outsource all of its needs to a third-party vendor. This can reduce the costs for maintaining a cybersecurity program considerably, as the company doesn't need to hire new staff, develop original software, or apply compliance measures themselves. However, companies may still be on the hook for any data breach involving their customer's data.

Finally, some firms choose a hybrid model and mix the two, with some vulnerabilities being addressed by a third-party and others in-house.

Regardless of which method a company pursues, it should have a clear vision of what it requires to reduce its cybersecurity risk. After mapping an organization's systems, the management team should ask potential vendors or partners the following questions:

• How frequently do they perform security tests, such as penetration testing?
• Are they certified in a cybersecurity framework or aligned with one? One example of a framework is the National Institute of Standards and Technology (NIST).
• Do they have a threat management program in place?
• Are they open to external audits?
• What is their threat response plan?
• Have they suffered a breach in the past? If so, what steps have been taken since then?
• Do they understand your specific business or industry?
• Do they provide training on their security protocols and processes?

Getting started with cybersecurity

Cybersecurity challenges abound in business; there's just no way around it. Developing and maintaining clear and up-to-date security protocols should be a priority when it comes to business budgets. Even if skipping some steps in cybersecurity seems cost-effective, a data breach can cause long-term damage to an organization and costs hundreds of thousands of dollars.

As the cyber risk for businesses continues to rise, the best thing any company with an internet connection can do is invest in their security measures.

The first step is to map out an organization's system and needs. It may be beneficial to bring in an external auditor. Whether the management team decides to go at it alone or bring on professional help, getting the lay of the land makes it far easier to find solutions and plan an accurate budget for an effective cybersecurity program.