Cybersecurity incidents can have dire financial consequences. In our 2020 State of Data Security Report, we found that businesses have had to pay up to $100,000 as ransomware payments.
But the issue for small and midsize businesses (SMBs) is that while they realize the importance of cybersecurity, they often don’t have the budget or IT expertise to beef up cybersecurity as large organizations do. Studies such as this one show that many SMBs have meager IT security budgets (less than $5,000), while most of them (52%) don't have in-house IT security professionals.
To overcome their hurdle, SMBs need to become creative with their limited resources and optimize their cybersecurity investment.
If you’re such a business, then read on to understand what you can do to optimize your cybersecurity spending without compromising your cybersecurity posture.
To understand the costs of cybersecurity, SMBs need to first identify what cybersecurity measures or actions they need to take. To do this, SMBs can start by identifying common cybersecurity threats and finding solutions to tackle such threats.
Social engineering: Cyberattacks that look to manipulate an individual by using their personal information to steal sensitive data.
Spear phishing attack: A fraudulent email that appears to have come from a legitimate person or organization.
Business email compromise: Similar to spear phishing, hackers fabricate emails and target top-level employees.
Insider threats: These threats are posed by malicious, disgruntled, or negligent employees.
Video conference infiltration: Leak of confidential business information when cyber criminals tap into a video conference session.
Cybersecurity training: Regular security training is an effective security measure for SMBs to protect against threats.
Cybersecurity software: Essential cybersecurity software for SMBs include vulnerability management tools, patch management solutions, and endpoint protection software that offer protection against many security breaches.
Cybersecurity services: Third-party security services such as that of a managed security service provider (MSSP) help SMBs manage information security without having to maintain in-house security teams.
While cybersecurity spending on training, software, and services can help you combat cyber crime, they don’t always come cheap. Cybersecurity software, for instance, can quickly become a burden if you don’t do proper vulnerability assessment and purchase the wrong software. Additionally, you need to follow some best practices when creating training programs or outsourcing security management to optimize your security spending.
To create a robust security awareness training program, you might need to spend on activities such as gathering course materials, hiring experts, and disseminating the training program to your employees. These costs can be substantial and more of a burden considering the low training budget of most SMBs.
To reduce the financial burden, you can take a step-by-step approach to create the training program. Instead of trying to build the perfect, one-size-fits-all training program, start by creating short courses using PowerPoint slides for semi-technical subjects such as password management or email best practices.
You can take this a step further by using the knowledge of your in-house IT staff to create a community forum that can answer common security questions of your employees.
Finally, you can create digital courses (using a learning management system) that can be reused and recycled easily. This also lowers the administrative burden when it comes to updating security training programs as digital courses can be easily edited.
Cybersecurity solutions are numerous and SMBs can quickly get overwhelmed deciding on the one they should get to improve their security posture. Businesses just starting out can also be confused with the variance in the pricing of similar solutions.
The way out of this situation for SMBs is to test the waters by trying open source or free cybersecurity software. This reduces the risk of SMBs wasting their valuable resources on the wrong solution and allows them to test a particular product before committing to it.
You can outsource different kinds of security services. For instance, an MSSP vendor can manage threat monitoring, detection, and incident response services for you. Some MSSPs may also handle compliance and risk management, penetration testing, and security program development.
However, an issue that can crop up with outsourcing is the tendency to gloss over contracts. For instance, a key clause in a contract that can be overlooked is a service-level-agreement with the vendor to return or destroy your data at no or minimal charges, at the end of the contract
Ensuring that you spend time in creating effective contracts, clearly benchmarking the terms of the agreement with the vendor, that accommodate scope-changes in the service offered by vendors is a key step in optimizing outsourcing costs.
The threat of cyber attacks cannot be understated. They are rising in number. In our 2020 State of Data Security Report, we saw an increase in phishing scams and account takeover attacks.
Modern-day cyber attacks are also becoming more devious with the use of newer technology (artificial intelligence for instance). Moreover, threats can come from anywhere, including your own employees (aka insider threats), making them more difficult to track and manage.
However, it’s inadvisable for SMBs to panic and start taking drastic steps to strengthen their cybersecurity posture. Instead, they should do the opposite and take measured steps such as conducting a security risk assessment to clearly understand the biggest threats faced by their organization.
Based on the security assessment, businesses can understand which threats can have the most business impact. Thereafter, they can prioritize their security investments by drawing up a suitable IT security budget that can get the job done without breaking the bank.
This article uses Gartner’s definition of SMBs, where small businesses are organizations with fewer than 100 employees and midsize enterprises are those organizations with 100 to 999 employees.