Cybersecurity on a budget: maximize your ROI
With almost a third of companies falling victim to cyber attacks, organizations know they need to invest in adequate protection. But they don’t always have a big budget to do this. The good news is that there are several options for businesses that need to be efficient and make the most of what they already have. Here we look at how businesses can protect themselves against the risk of cybersecurity threats without breaking the bank.
Maximizing cybersecurity ROI
Creating a robust cyber strategy for your business’s unique needs is essential to ensure you focus on what matters most. You need to start by identifying the purpose and objectives of your organization.
For example, if you are a food manufacturer, your goal may be to supply supermarkets with prepackaged sandwiches, and your goal is to produce 200,000 packages per day. If that processing facility were to go offline for a day due to an attack, what would the impact be if those sandwiches were not produced? This could include a loss of turnover of £100,000 per day, reputational damage, legal costs and the ability for retailers to apply breach of contract clauses.
By imagining your worst day, you can get a clearer picture of which systems are critical to business operations and what downtime you can afford. This will help you identify where investment and resources are most needed.
Senior Technical Consultant at technology company Probrand.
Protection of your most important assets
The next step is to understand whether the defenses you currently have in place can adequately protect critical systems, networks and data. To really put this to the test, consider bringing in an internal or external security team to attack those systems and then record what happens. You want to know:
- How did you identify the attacks?
- What did the attacks contain or destroy?
- What was the reaction/aftermath?
This exercise can reveal your strengths and weaknesses when it comes to the technologies, people and processes you have in place to protect the business.
Technologies – Lessons These types of exercises almost always reveal that there are ways to optimize existing tools and technologies and work more efficiently. For example, you may discover that you have duplicate tools and that there is an opportunity to cancel contracts and reinvest. Additionally, there may be underutilized native security settings that you could benefit from more, such as a built-in email filter to protect against spam and phishing emails.
Software updates and patches may not be up to date. This is an easy win for preventing vulnerabilities because many of these can be automated, like with the best patch management software. You may also find that configuration improvements can help close any gaps or weaknesses you may have identified.
People – Implementing measures that encourage staff to adopt a zero trust mentality will help reduce the likelihood of a successful attack. There are several low-cost activities that companies can undertake to create this strong safety culture.
Just as you would assess the tools and technologies in your organization, it is well worth spending time assessing the skills that exist within the security and IT teams, as well as within the wider business. Are there opportunities to spread knowledge and train staff? Know-how can be shared in many ways. This could be through lunch and learn events or more formal training and simulations. This doesn’t have to be expensive. There are also a number of free resources available, including Dracoeye, that can be used by teams to search for and identify any security threats.
In addition to training, organizations should focus on creating a culture where employees are encouraged to report suspicious activity without fear of “getting it wrong.” To support this, consider using a dedicated portal where staff can share any issues and anything immediately dangerous can be escalated. The worst case scenario is that the staff is too scared to say anything. You want people to feel like they are in an environment where they can express their opinions without fear or repercussions.
Processes – Finally, it is important to look at the processes and solutions you have implemented should the worst happen. This has everything to do with planning. It’s about knowing how each part of the business will continue to function until a cleanup operation can be conducted. Do you understand your legal obligations in terms of informing customers? Depending on the nature of the breach, you may also need to notify authorities, such as the Information Commissioner’s Office (ICO) if it is based in Great Britain. Employees will always feel better knowing that there is a script and plan for every scenario.
By following these steps, companies can get more out of what they have and identify opportunities to reallocate budgets and realize immediate savings. The biggest victory, however, is having an effective cyber strategy that companies have confidence in. This will greatly reduce the risk of financial and reputational damage and enable the company to continue achieving its objectives.
We’ve reviewed the best Zero Trust network access solutions.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro