Businesses today are facing two acute challenges – the economy and cybercrime. This is forcing CISOs to make some tough decisions about spending. The UK government’s Cyber Security Breaches Survey 2022 found that in the last 12 months, 39% of UK businesses identified a cyber-attack, while 31% of businesses estimated they were attacked at least once a week. Amidst these rising threat levels, never before has it been more important to stay secure while managing costs on a budget.
As cyber risks continue to increase, budgets remain stagnant – in fact, a report into cyber threat defence in 2022 highlights that security budgets in the UK have remained flat since 2021. This creates tension for CIOs who are still being advised to boost IT security while costs are such a monumental concern. The reality is that CIOs need to do more with less. Organisations must streamline outgoings where possible to remain lean and productive – and above all secure. With the right planning and effective processes, leaders can save on costs and put in place the controls that can reduce any unnecessary exposure to risks.
Taking a holistic approach to cyber defence
Effective security practices don’t always need to break the budget. Taking a holistic approach to cyber defence that covers the tech ecosystem can reduce the risks of any gaps in protection that would otherwise leave the organisation open to exploitation. Some ways to build a robust cyber security framework include:
- Addressing asset management
This means maintaining an accurate and centralised inventory of all IT assets. Tracking the lifespan of each IT asset is essential to ensure that software patches and updates are kept up to date. Security pros can streamline resources by identifying and appropriately decommissioning any old equipment or software that is obsolete or end of life.
Knowing where hardware and software inventory is located and how it is protected makes it possible to identify misconfigurations and address potential security gaps. It also makes it easier to enforce security requirements, identify unmanaged devices, and evaluate which users that have access to critical systems don’t have protections like multi-factor authentication enabled.
- Empowering employees to become the organisation’s first line of defence
Although it seems like yet another investment, training employees can play a major part in keeping the security budget lean. With human error becoming the top cause for ransomware breaches – in fact, according to the World Economic Forum, 95% of all cyber security issues can be traced to human error – cyber security has become as much a people problem as it is a technology problem. An employee that is ignorant about attack methods can open or click on an email which can potentially download malware or redirect to websites to steal intellectual property or money which leaves their organisation wide open to risk.
The initial time, cost and resources channelled into a proactive and continuous training programme are nothing when compared to the potentially devastating consequences and costs of a successful cyber security breach. Training on good cyber practices and behaviours and reporting of suspicious or unusual activity can stop a potential attack in its tracks.
The most effective way to conduct training for the wider workforce is through real-world training experiences that actively engage workers based on actual risk-based scenarios. For instance, running simulations and gamified interactive training can create a more relevant and rewarding learning experience.
- Making smarter security choices
With cybercriminals’ sophisticated methods often keeping them a step ahead of security teams, making cuts in cyber security investments is a growing concern. However, an investment in expensive security tools can be misplaced if organisations fail to put in place strong foundations for security.
By systematically reviewing processes such as continual network monitoring and multi-factor authentication, keeping up to date with patching, and making the most of resources, as well as focusing on training, CIOs will elevate organisational resilience. This will increase their digital defences and overall security posture. Additionally, deploying dedicated cyber security tools will bolster these good practices while staying cost-effective.
In challenging economic times, a reset of cyber security priorities is essential to review all finite resources and where they can best be deployed. All too often organisations conflate good security practices with good security purchases, meaning efforts result in purchasing new and unrequired security tools that duplicate efforts and further compound team resource management challenges.
Cyber resilience is a perfect blend of tech and human expertise
With the risks of a cyber breach potentially including the loss of data, fines for non-compliance, a ransom, or lasting reputational damage, prevention is better than cure. Focusing spend on reviewing practices like asset management in a bid to minimise attack vectors, ensuring that security policies are clearly and widely articulated and implemented, and securing all endpoints will be mission-critical.
True cyber security means combining automation, human expertise and 24×7 support to defend against the constantly evolving threat landscape. A training programme that empowers the entire workforce with ways to detect and offset the latest threat vectors will build a culture of cyber security that enables the most advanced, affordable, and long-term resilience.
Head of Offensive Security
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.