Determining Where To Spend Your Cyber Security Budget

What is an IT Assessment?
November 17, 2017
Common Cybersecurity Mistakes Made by Medical Practices
November 17, 2017
Show all

Even as cyber crimes increase, most businesses skimp on security until they lose millions to a data breach. IBM estimates that the cost of a data breach is about $140 for each record lost. Multiply this amount by the number of files contained in your database, and you can see that just one attack can cripple your business.

Cybersecurity is similar to an insurance policy. You don’t want to spend the money, but it can save you financially should your business be the target of a hacker. That doesn’t mean that you have an endless budget for cybersecurity equipment, but you should prioritize your budget and determine which areas you should focus most of your efforts. Here are some tips.

Where Do You Store Data?

If you recall from any case involving a major data breach, attackers went after user information. These attackers aren’t teenagers looking to play games. They do this for a living, and the information they steal can go for $5 to $30 per record on the black market. Attackers that make money are persistent. They look for data storage, sometimes going after your file servers, but mainly your databases. 

As your organization grows, it’s common to lose track of data storage. Employees add more storage to the network, and your IT people might use cloud SaaS products for hard drive space. Cloud storage providers have security equipment and software in place, but you still need to have a security system of your own.

The first step is to audit your network and find where you store all data, including USB thumb drives or portable devices. Stolen laptops can be a source of a data breach, so don’t discount any device just because it doesn’t seem vulnerable. Any device that stores user data should have extended amounts of software to protect from malware, and your internal network should have the right systems such as firewalls, IDSes (intrusion detection systems), and IPSes (intrusion prevention systems).

Does the Risk Outweigh the Cost to Secure the System?

If you hire security consultants and analysts, the first thing they will do is determine the risk versus opportunity. People new to security often think they need to protect everything, but sometimes it’s more expensive to secure a device than to deal with the loss should it be damaged or successfully hacked.

A printer, for example, seems safe enough. However, attackers can gain access to memory and see printed pages, leaving your data exposed. They can launch denial of services attacks blocking it from use. In February 2017, a hacker was able to make 150,000 machines print ASCII art, which wasted a lot of paper for many people.

If you use your printer only for standard shipping labels that include no sensitive information, the cost of securing it might be higher than the consequences of a successful attack. The printer’s risk wouldn’t outweigh the cost of an attacker printing random pages or gaining access to RAM resources.  It this case, you wouldn’t spend any of your security budget on the printer.

A risk-versus-cost analysis is the main formula used to determine where to focus your security budget. Use the same analysis with the printer as for an extensive database that stores your users’ information.

Invest in Penetration Testing

The only way for you to know whether your software is safe is to test it for vulnerabilities. You can buy software that performs penetration testing, or hire a professional to review your systems.

Penetration testing usually involves running scripts on your network. Because attackers commonly use these scripts to find vulnerabilities, the penetration tester emulates a real-world attack. It will test all of your equipment, including any custom software, packaged software, operating system, routers and switches, mobile devices, and even other security equipment such as cameras. It can take several days to test all of your systems depending on the size of your network.

Before you can test your software, you need to audit your system. Some testers will perform discovery events to find vulnerable systems, but you must permit them to check your network, which means they need to know what they are testing.

Penetration testing is a crucial part of cybersecurity. You must first test any new software or hardware before introducing it to the network. That means that you will need testing tools of your own to continually check new equipment before you deploy it on the network.

Educate Your Employees

Every employee, including executives, managers, and staff, should have at least a basic understanding of cybersecurity. Employee education is the least expensive and most efficient step you can take to protect your data. Employees should be able to identify a phishing email, know not to run attached files, and be aware of common social engineering scams. These three attacks are the most common ways that hackers can gain access to your data through your employees.

Social engineering happens when an attacker calls an employee and convinces them to give the attacker credentials. The attacker can then use these credentials to log into the network and retrieve data.

Trojans and ransomware are two malicious applications that attackers attach to email messages. Trojans allow an attacker to connect to your employee’s computer from a remote location. They can then upload more malicious software or use the computer to gain access to your data. Ransomware scans the network for critical documents and encrypts them. The attacker will give you the private key only if you pay a ransom, which can be thousands of dollars. If you don’t pay within a specified amount of time, then the payment increases.

When employees can detect these attacks, they just delete the email or send it to your security people. It’s the best way to stop a hacker in his tracks. By giving your employees a small class in basic cybersecurity, you can save your company millions in damages.

Don’t Skimp on Cyber Security

Instead of reducing security budgets, now is the time to increase the amount of money you spend to protect your customers’ data and avoid lawsuits and fines associated with data breaches. You should always have a budget for cybersecurity, and it should be a part of your IT budget that managers can use to deploy appropriate equipment to the network and educate users on risks.

If you wonder how damaging a successful attack can be, look at Equifax, Target, Ashley Madison, or ORM. All of these organizations suffered monetary loss and staff resignations. It’s much more beneficial to spend money now rather than pay for lawsuits and fines later.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.