How much should you invest in cybersecurity?
This is the million-dollar question facing leaders of growing businesses today. And a big challenge for small and medium firms is that they generally don’t have a million-dollar budget to counter the escalating cybercrime threat.
There is no simple formula to calculate optimum cybersecurity spend based on turnover or headcount. What works for one business won’t necessarily be right for another. However, it is possible to develop a proportionate and scalable response. The following tips can underpin a cyber strategy that is robust enough to cope, and flexible enough to adapt to the changing needs of a growing business.
Don’t assume you’re immune
When large organisations are affected by cybercrime, it makes national news. Yet the threat is just as real for small and medium sized firms. In fact, the risk can be even more pronounced.
Smaller businesses have lower resilience to withstand the financial, operational and reputational damage that can result from an attack. And some experts believe the mid-market is becoming increasingly attractive to cybercriminals – it’s an easier hit since larger businesses are professionalising their defences.
Any business with ambitious growth plans needs a well-optimised cybersecurity strategy. If a major attack happens, it could represent the difference between a minor blip or a more pronounced downward trajectory.
Establish an accurate cyber baseline
Vulnerabilities and assets requiring protection vary greatly between businesses of different sizes and sectors. This underlines the importance of analysing the genuine level of cyber risk for individual companies.
A detailed audit facilitates better understanding of weak spots and potential events that would have a major negative impact. Speaking with representatives from different departments is vital to gauge critical information assets and behaviours or process that could put operations at risk.
Establishing which data is important, and potential scale of impact if it’s compromised, drives informed investment decision-making and sophisticated strategy development.
Don’t expect tech to solve all your problems
The IT security industry is stepping up to the cyberthreat with advanced new technologies. Naturally, the most progressive solutions tend to be geared towards larger corporates with sizeable budgets.
But that doesn’t mean small and mid-size firms are helpless. Effective cybersecurity isn’t all about having the latest technologies. The cornerstone of best practice is good security protocols, including regular training of employees and risk analysis rooted in current cybercrime trends. When this is proactively managed by a dedicated internal resource or third-party provider, the strategy can adapt to the evolving threat landscape and changing business needs.
Take practical steps to de-risk
Information security is all about access. There is a fine balance to strike between allowing staff the information they need and keeping data secure. And as the security landscape changes, general maintenance, monitoring and patching are more important than ever. These tasks may be unglamorous, but they are effective.
Check that data is regularly backed up following the 3-2-1 rule: keep three copies of any important files on two different storage devices, one of which is held offsite without any connection to other back-ups. Encrypt the data for an added layer of security.
Ensure the strategy grows with the business
Testing defences and discovering user vulnerabilities is essential to combat risk. This is especially true in a growing business with regular new starters and departments which may be grappling with other business growth challenges.
Ensure that people handling a lot of email attachments – for instance in HR and accounts – understand the importance of verifying senders. Consider ‘simulated phishing’ exercises to identify individuals and teams with training needs. This helps ensure everybody in the business is alert to the risk and provides a benchmark to measure ongoing performance.
In a fast-growing business, disaster recovery and business continuity plans should be reviewed and refined every other year. Many companies find that boilerplate plans developed years ago are inadequate when a cyberattack hits.
Cybercrime is one of the biggest business challenges of the digital age. It’s not a case of ‘if’ an attack will happen, but ‘when’. Developing a response that is proportionate but effective is a critical success factor for any growing business.
Richard Keatinge is the chief operating officer at Commercial IT Services.