Statistically, your organisation is likely to be targeted by cyber criminals at some point - and, of course, building the type of environment to protect you against that threat requires financial outlay. So how much should you be spending - and where should resources be allocated?Unfortunately, there isn’t a magic figure or formula to deploy to render you invulnerable to IT security risks. Each business has its own requirements and unique vulnerabilities. It’s only through a thorough risk assessment process that you can appreciate where your vulnerabilities lie, and it’s at that point that specific measures and their associated costs can be considered.
Security costs: a drain on resources or a wise investment?
The emphasis should be on the investment element of IT security rather than outlay. In June this year, the Federation of Small Business released a report showing that two thirds of small businesses have so far been a victim of cyber crime. An actual or attempted security breach tends not to be a one-off event: on average a small business can expect to be a victim of four cyber crimes every two years - with the immediate effects of each crime costing its small business victim an average of almost £3,000. For major breaches, government data suggests that the average cost to a small or medium sized business is between £75,000 and £310,000.
Those costs reflect the wide repercussions of a major security breach. As well as the costs associated with the initial disruption, this includes loss of contract revenue, regulatory penalties, higher insurance premiums and brand damage. Investment is essential for risk reduction - as well as for mitigation of loss if a breach does occur.
Here are three areas where resources should be deployed…
Reducing organisational vulnerability
Time and again, research shows that human error is the biggest trigger for the majority of security breaches, through employees unwittingly installing malware, sticking to a guessable password and other instances of ‘bad housekeeping’.
From a financial point of view, there's actually a plus side to this. It shows that businesses can go a long way in making their IT environment more robust not through a huge spend on tech solutions but on focusing on reducing organisational vulnerability - i.e. people, processes and procedures.
Certainly, it takes time and resources to put together training and operational guidelines to increase an organisation’s resilience. However, it’s essential to build a security-conscious office culture. The consequences of lax or reckless behaviour both to the business and to the employee concerned should be clear and understood. Spending time on this is both effective and extremely cost-effective.
Technological vulnerability: allocating responsibility
A culture of security awareness is important, but even with the most diligent workforce, security cannot be robust unless technological vulnerabilities are addressed too.
So who is responsible for this? Should you employ someone in-house or outsource it? The latter option can pay dividends on a number of fronts. It means avoiding the costs associated with recruiting and training an IT security specialist (including the costs associated with continuing training and development). It avoids you having to take a gamble on an untested new starter in a priority risk area - and it means that your IT staff spend can be devoted solely to your core business.
Technological vulnerability: putting the right solutions in place
Having decided who is going to be responsible for reducing your technological vulnerability, it’s next a case of countering those vulnerabilities. This isn’t about choosing a bundle of software, installing it and sitting back. It involves:
- having a thorough understanding of your IT infrastructure,
- designing measures that reduce its specific vulnerabilities,
- configuring those measures in the right way,
- monitoring those measures to ensure they remain fit for purpose.
Prohibitively expensive solutions are not necessary to stay secure. Proper attention to your organisational and technological vulnerabilities is where your focus - and your financial spend - should be directed.