2017 has been a tough year in cyber security. We’ve seen businesses, big and small, get hit by data breaches and cybercrime resulting in a steady stream of headlines; WannaCry, Bashware, Shadow Brokers, Petya, Cloudbleed, the list goes on…
As we start to turn our attention to 2018, it’s time to think about how to do cyber security differently to protect your business’ finances and reputation in an ever-evolving threat landscape. Instead of just ‘copying and pasting’ your security budget and contracts from this year to next, we think a more strategic approach to protection and detection is needed.
Should you invest more in cyber security?
Probably. Many businesses are still not taking the threats seriously and begrudging the investment, treating it a bit like insurance cover. Unlike insurance where your business may pay its policy year on year and never need to claim, cyber security solutions offer more than ‘just in case’ protection – instead they are proactively protecting your business.
You only need to look at a threat monitoring report to see that numerous attempts are made on all types of company IT systems, day in day out. Threats come from inside and out, from shadowy cyber criminals and hackers, as well as your own employees. Whether malicious or not, seemingly innocuous incidents – such as clicking on an unidentified link in an email or disclosing a password to someone purporting to be a senior member of staff – could result in a breach or system downtime.
As the threat landscape changes and we have to deal with new unknown unknowns, duplicating our cyber policies and procedures from one year to the next is not enough. Budgets do need to be reviewed to ensure that the cyber security tools being used are fit for purpose and protecting both data and business critical operations.
Managing Cyber Security Budgets More Effectively
Fortunately advances in technology are driving costs down, and innovation products are available that provide end-to-end solutions without needing large amounts of in-house resource. When choosing a cyber security vendor we recommend you look for the following factors to get more from your budget:
1. End-to-end solutions. It is possible to piece together what you need from multiple cyber security vendors but you will most likely pay more overall, need to invest more time in managing a fragmented security estate, and could also find that there are vulnerability gaps that no vendor takes responsibility for. Look for vendors that offer end-to-end solutions that can scale with your business and provide you with the right tools depending on your business’ threat risk.
2. Expert advice and best practices. There are many ways to prevent hacks and cyber incidents that don’t involve costly technology solutions. Awareness and training is a key prevention technique that can get overlooked when companies rely solely on their cyber security tools. While tools such as behavioural analytics can detect insider threats and potential threats caused by human error, security awareness and training can stop a threat being initiated to start with. Expect cyber security vendors to offer advice and support for your team to help put into place cyber security best practices.
3. Understand how security impacts on your business. Cyber security experts tend to talk a lot about the impact of a data breach or cyber incident on your business. However, security solutions can also have an impact on your business. Too many security steps, too long spent waiting for access to data and other complexities can have an effect on productivity and your employees’ ability to get on with work. This may even result in people taking shortcuts and ignoring security policies and procedures if they can.
There needs to be a balancing act between the practical implications of protecting the business from cyber threats, and the cost to the business of any potential loss in productivity. Security vendors should want to understand how their tools might impact on operations and balance the risks with the benefits. Solutions might involve deploying less rigorous security measures in certain areas of the business, where the threat and potential damage is deemed less high risk.
These factors can help your business get better value for money from your cyber security solutions, without putting your business operations or data at risk. If you would like to discuss this subject in more detail with reference to your own operations, please get in touch with our team. Call +44 (0)203 195 4479 or email firstname.lastname@example.org
By Ian McGregor, CRO, Invinsec