Over the past couple of years, we have seen more small-to-midsize businesses become victims of cyber-attacks than ever before.
According to Verizon’s 2019 Data Breach Investigations Report, 43% of breaches in 2019 involved small businesses. The primary reason for this is that larger businesses are investing more money and human capital resources into building robust cybersecurity programs, making it more difficult for threat actors to gain access to their sensitive data. To put this into perspective, J.P. Morgan Chase invests roughly $600 million each year on cybersecurity with an IT security staff of around 3,000 and they are forecasting to increase those numbers in 2020.
This has forced cyber criminals to focus their nefarious efforts towards small-midsize businesses, prime targets due to lack of awareness and constrained financial resources to implement basic IT security controls. Determining the specific threats and risks your business faces is a critical component in calculating the costs of an IT security budget.
Prioritize Your IT Security Budget Based the Threats and Risks of Your Industry
All businesses face specific types of cybersecurity threats and risks depending on the industries they serve. For example, a financial services business that stores client bank account information could be a target of DDoS, spoofing and/or phishing attacks. The consequences could include extensive financial and reputational damages, civil lawsuits, and fines & penalties from regulators and government agencies.
Performing a Security Risk Assessment, having firewalls in place to properly segment the network, or installing a SIEM (Security Information & Event Management) could be key factors in determining how much you should budget to protect sensitive data and mitigate the risk of a data breach.
Questions to Ask When Building an IT Security Budget
- What are the greatest and most common threats to our specific industry? Threat intelligence reports specific to your industry can be found on-line. They are a great source to arm you with information to make the best budgeting decisions.
- What percentage of our IT budget should we allocate towards IT Security? According to Gartner, a leading research and advisory company in IT security, businesses should be spending 4-7% of their IT budgets on security.
- Do we have access to qualified resources to assist us in the IT Security Budget process? If you don’t have internal resources, there are cybersecurity consulting firms that can support you. That expense should be calculated into your security budget.
- Are there any on-line tools available we can leverage to help us get started in building an IT Security budget?
A Case Study
Having worked in the cybersecurity industry for over a decade, we have seen firsthand the consequences of not having a budget or basic IT security controls in place. In one case, we received an urgent call from a well-established law firm asking if we could assist with a ransomware attack.
The attackers took total control of the law practices network, preventing them from having any access to client data. The entire office was paralyzed. The cyber criminals had also confiscated their back-ups, which gave them no access to several hundred thousand files. They were forced to either pay a ransom fee or report the incident to the proper authorities, most likely be faced with fines and penalties, and be forced to file bankruptcy due to loss of revenue, clients and brand damage.
We were able to negotiate a ransom fee on the client’s behalf and were extremely fortunate to get all the data back. The entire engagement last about six weeks and the costs exceeded six figures. What they paid out in six weeks could have covered their IT Security Budget costs for five years or more.
We strongly urge all SMBs to please be proactive and build an IT Security Budget in order to avoid these unfortunate setbacks. Until next month, wishing you a safe and prosperous journey in cyberspace!