Global cybercrime is rising, both in the number of reported incidents and in its sophistication. For this reason, businesses are focusing on Cybersecurity by investing their effort, time, and finances into withstanding an evolving cyber threat landscape.
While it is not yet a significant part of most companies’ overall business expenditure budgets, cybersecurity spending is increasing with many businesses hoping to protect their digital assets.
However, merely spending large amounts of money does not assure protection. What businesses need to do is spend appropriately in the right areas to realize a Return on Investment (ROI). The priority is to identify the current infrastructure’s strengths and weaknesses. This type of planning allows a business to establish what needs improvement and the most cost-effective way.
Vitally, companies should recognize that safeguarding digital assets relies on more than just technological interventions. The workforce also has a growing role in maintaining Cybersecurity.
Businesses Constantly Overlook Continuous Cybersecurity Assessments in Their Tech Budgets
“When planning the cybersecurity budget, in my opinion, one of the most critical items that are often missed is the ability to do continuous testing,” says Ilan Sredni, CEO & President of Palindrome Consulting, Inc. “IT infrastructure [contains] a lot of moving parts and continuously changes; therefore, running tests is extremely critical to keeping a good security profile.”
Continuous penetration testing involves challenging, measuring, and configuring a business’ cybersecurity controls to identify areas where gaps appear and proactively fix potential security issues. According to a recent poll by the SANS Institute, 28 percent of IT security professionals use breach and attack simulation (BAS) tools to test security protocols.
A company can reduce its attack surface through repeated and frequent testing and continually update its security posture. Through automated alerts and regular reporting, an organization’s security teams get immediate and actionable insights they require to perform corrective measures.
Despite the apparent advantages, Ilan says that few companies budget for the recurring cost of constant testing of cyber defenses.
“Most people miss the proper planning on the testing side because they believe that security is something similar to a home alarm; that it is set and then you forget.“
The Risks of Not Carrying Out Continuous Testing
Failure to include continuous testing of cyber defenses into their annual budgets exposes businesses to risk due to two key factors:
- There are new and emerging threats that companies will need to contend with every day. The latest strains of viruses, ransomware, crypto-stealers, and crypto-miners require that business continually updates its preventive controls with the newest indicators of compromise (IoCs).
- IoC-based preventive controls are worthless against file-less and signature-less attacks. Therefore, they require that a business uses behavior-based detection through tools like Entity and User Behavior Analytics (EUBA), Endpoint detection and response (EDR), or honeypots. Continuous testing of defenses allows a business to continually fine-tune these tools’ settings and configuration for faster detection.
Having continuous security assessments as part of a business’s yearly budget is vital, even for companies with a Managed Service Provider (MSP). According to Mike Shelah of Advantage Industries, failure to plan for the additional cost of constant testing under the assumption that the MSP’s rate covers it could leave a business vulnerable.
He says, “Cybersecurity has four parts: assessment, remediation, certification, and ongoing updates. Most companies feel if they have an outside IT vendor that they are checking all the boxes. Most MSPs do not automatically offer assessments. Instead, they charge a separate fee.”
Corporate Investment in End-User Training Is Vital For Cybersecurity
Cybersecurity for business goes well beyond merely putting technical measures in place. Companies also need to look at how well-prepared their IT teams are to counter the latest threats, and if the rest of their employees are know how to avoid exposing the enterprise to a cybersecurity incident. Maintaining and building up a workforce’s skill set by investing in training brings about a great ROI.
Failure to provide user training to employees can expose a business to cybercriminals. In most situations, hackers seek to exploit the weakest link in the cybersecurity chain – the user. These exploits usually use strategies and tricks that are impossible for hardware or software to detect. Social engineering methods such as phishing, spear-phishing, and pretexting can only be stopped by a user’s awareness, not through technical countermeasures.
Training in Cybersecurity also means that employees know what to do in case of a breach. Phillip Baumann, CEO of managed IT services provider BoomTech Inc. says, “The biggest security problem in any organization is you and your employees. While you’re focused on budgeting for everything from employee training to penetration testing, many fail to include a detailed plan for the worst-case scenario – a breach.”
Investing In Continuous Testing and Constant Staff Training Is the Best Defense
So, what strategy should a business take when determining its cybersecurity spending? The ultimate decision depends on factors like its size, mission, scope of work, and budget, but having Cybersecurity in a company’s spending plan is always a smart move.
Devoting many resources and increasing a cybersecurity budget is essential, but the real challenge is knowing what to spend the money on. Business leaders should pay more attention to the security technologies they spend their money on, and the people who operate them, than they do on the total amount of funds allocated.
Businesses should consider a change in their cybersecurity strategies due to the recent wave of business email compromises, state-sponsored Advanced Persistent Threat (APT) campaigns, and ransomware attacks. The best way to identify and proactively combat these new threats is by always challenging security protocols to unearth weaknesses and tweaking the measures to shrink attack surfaces.
Besides the obvious technological interventions, effective Cybersecurity also depends on people. Business leaders need to put money into increasing their employees’ readiness to identify and deal with potential cyber threats.