18 September 2024

How to get the most out of your limited cybersecurity budget

Most of us working in IT and information security are trying to improve our cyber resilience and mitigate business risks with a limited budget.

We find ourselves working to address the next greatest risk first, getting the best result we can for as little money as possible, and building incremental improvements. But without trial and error or years of experience, how do you know you are spending your budget on the right things? In this blog post, we will share how some organisations spend their cybersecurity budget, and how they measure whether their spending is effective or not.

Please sir, can I have some more?

In a perfect world our budget for cybersecurity would be unlimited. At the very least, those who hold the purse strings would allocate enough budget so you can take proportionate action to secure the business and its data. The complaint is almost universal: whether your company is 50 people, 500, or 5,000, almost all of us feel that we don’t have enough budget to achieve all of our cybersecurity goals. We may prioritise the most pressing and urgent, while delaying the others until the next fiscal year. So, what is the minimum your budget needs to cover for a small-to-medium sized business? Your cybersecurity budget should be proportionate to the risks to your business. But how can you put an approximate figure on the risks you face? Consider the following:

  • The value of your physical assets
  • The value of the data you are trying to protect, as calculated by:
    • Potential fines from the ICO should you suffer a data breach
    • Compensation to victims, should their personally identifiable information be exposed
  • The cost of downtime and disruption to business continuity

As an upper limit, your cybersecurity budget should not exceed the value of your IT assets and the expected financial cost of these eventualities. For more information on how to calculate the value of risks to your business.

Getting the basics right

If you’re new in role, have recently taken on cybersecurity responsibility, or you just don’t know where to start, the task can be dauntingly complex. Before you start deciding what you will spend your budget on: here are three essential activities to get you started:

  • IT asset mapping You can’t protect what you don’t know you have, and threat actors love to target assets that are underused, forgotten, and thus not protected as well as they should be.
  • Patch management Once you have a clear idea of where your assets lie, a robust patch management programme will ensure that threat actors can’t exploit easy weaknesses from older versions of applications and software.
  • Two-factor authentication Enabling 2FA for login to user accounts is an easy win. This will vastly improve your security controls around identity access management. It is essential that you enable 2FA for all services that attackers are likely to target.

Provided you have the right skills and resources, some of these activities can be completed in-house. For those that can’t, consider contacting a managed security service providers to help you. Now, it’s time to break open the piggy bank and get out the catalogues. What will you spend your birthday money on?

1. Security Risk Assessment

What are the greatest threats facing your organisation? Where do your potential security weaknesses lie? How should you allocate budget accordingly to make sure you tackle the greatest risks first? A Security Risk Assessment is a consultancy exercise designed to gather information so you can better understand the relative value of your IT assets and the information they store, your potential security weaknesses, and the likelihood of your organisation’s current and future security risks, scored by the likelihood of their occurring. A Security Risk Assessment will help you evaluate the risks to your organisation, forecast your optimum cyber security budget and maintain compliance with regulatory requirements. During the assessment, consultants will gather information using interviews and analysis of documentation to better understand vulnerabilities, and the likelihood and overall impact of threat events occurring. Then they will map out and evaluate the existing security controls, including policies, processes and their supporting documentation. Finally, they will compile a report detailing all the potential risks impacting the organisation, including security recommendations for mitigating those risks, scoring each finding based on the risk it presents to the organisation. Afterwards, you can use the scores on your risk index to decide how best to allocate your limited budget, or you can work with a security consultant who can help you devise a balanced plan to bolster your security posture. This could include a mixture of relevant offensive security testing which realistically replicates how an attacker would target your organisation and defensive security measures such as detection and response technology.

2. Cyber Essentials Plus

Cyber Essentials (CE) is a UK government-backed scheme designed to help organisations protect themselves from basic cyberattacks. It is required for all businesses that are part of the UK Government supply chain. Getting a Cyber Essentials Plus certification will help your organisation demonstrate that you have a baseline level of cyber security, but the process of working towards the accreditation will also act as a gap analysis, showing where your security controls are weakest and suggesting appropriate measures to meet the required standard. This gap analysis will be cohered around a specific objective: what security controls you need to implement to achieve the Cyber Essentials Plus accreditation. Note that achieving Cyber Essentials Plus is accepted as a minimum baseline – a starting point from which to build more specific security controls that will help defend against more persistent and sophisticated attacks.

3. Vulnerability scanning and penetration testing

For this section we have combined two separate but adjacent services. Vulnerability scanning and penetration testing feed into one another. Vulnerability scanners inspect networks, devices, and applications for known vulnerabilities and then score them. They can identify problems but they can’t investigate. Similarly, the purpose of a penetration test is to identify all possible vulnerabilities that exist in a specific application, system, or scope; understand these in an organisational context; report on the risk they introduce; define suitable remediations at a single point in time. But penetration testers must demonstrate that a cyber attacker could exploit that vulnerability. Let’s take a ballpark figure – around £10,000. What can you scan and test for this budget?

  • Continuous vulnerability scanning for 200 internal IPs for one year
  • Point-in-time penetration testing for two average-sized web applications
  • Continuous scanning and testing for one complex and two basic web applications for one year (using Claranet Continuous Security Testing).

How you decide what to test will depend on the nature of your business and your IT estate. For example, if you are a retail business then your online shop (or other e-commerce web applications) will be crucial for your business. However, we know that new attack techniques for web applications emerge weekly, and development teams are under pressure to release and debug new features, which can result in security vulnerabilities going undiscovered for many months. If this applies to you, then you will likely benefit from using Continuous Security Testing to uncover and fix vulnerabilities in your web applications as they arise.

4. Upgrade your endpoint protection solution

Many organisations are challenged by a lack of investment and skilled staff to defend themselves against new threats; modern malware and ransomware can evade legacy anti-virus and spread quickly. Next generation endpoint protection uses behavioural AI to spot the latest attacks and can contain them quickly, but human input and fast reaction times are still required to prevent a potential breach. This next-generation anti-virus underpins solutions like Endpoint Detection and Response. Because this requires a combination of people and technology resources, the ability to prevent or remediate an attack is still out of reach for most organisations, who look to managed security service providers to leverage the expertise of their SOC when managing these tools. Endpoint Detection and Response helps you:

  • Detect cyberattacks 24/7/365
  • Prevent or contain attacks in progress
  • Eradicate threat actors, malware and ransomware

Endpoint Detection and Response looks for suspicious activity to detect indicators of compromise. But in order for the technology to be effective, it must be supported by skilled analysts who respond to security alerts generated by endpoints on your network in real time, separating false positives from genuine threats. In the event of a cyberattack, they should support you with a battleplan tailored to your business. Outside of cyberattacks they should also provide continual threat hunting, to ensure you are protected from the latest attacks. The cost of endpoint protection will vary depending on the number of endpoints you are trying to protect, as well as the EDR platform you choose. As we have written elsewhere, partnering with an MSP for this exercise can help reduce your costs for building your threat detection capability.

5. Develop your incident response plan

The businesses best able to weather the storm of a cyberattack are those with a detailed incident response plan. The best incident response plan is one that has been prepared far in advance and regularly tested. A good incident response plan should contain:

  • Who in your organisation should be contacted first and why
  • The roles and responsibilities of everyone involved in the incident response plan
  • Procedures for investigating the extent of the damage. What data has been compromised?
  • Procedures for quarantining the attacker and removing them from the network
  • Notification procedures for the Information Commissioner’s Officer in the event of a data breach
  • PR and communications plan for customers
  • Digital forensics and investigation process and a plan to collect the lessons learned. How did the attacker get in, and what remediations need to take place so that this does not happen next time?

Many companies partner with a Cyber Security Incident Response Team (CSIRT), paying to have a third-party on retainer, or receive this same service through their cyber insurance provider. However, there are some one-off exercises, such as tabletop simulations, guided by security consultants which will help develop your incident response plan. The purpose of tabletop simulations is to test the effectiveness of your incident response plan and identify improvements and additional options.

6. Social engineering awareness

Your employees are the first line of defence, sometimes known as “the human firewall”. The purpose of social engineering simulations is to identify and measure how resilient your employees are against social engineering attacks, identify which user groups are most susceptible and where additional training is needed. In some cases, the output of such an exercise might be a phishing campaign, or it could be part of a targeted attack simulation, such a penetration test. Initial training should be compulsory for all employees when on-boarding, plus information security awareness training should be performed at least annually. Subsequent simulated phishing campaigns should be staged and continual. There should be specific and extended training for those handling sensitive data or processing financial transactions.

7. Train your defenders

One of the best long-term investments is to build the skills of your in-house security team. Training courses should follow a defence-by-offence methodology: those teams charged with building adequate security controls to defend your IT estate should know:

  • How an attacker thinks
  • What assets on your estate they will target and why
  • Which attack techniques they will use to target those assets
  • Which security controls are adequate to defend against those attack techniques
  • Which security controls are appropriate and proportionate for your IT estate, its users and the data you are trying to protect

Moreover, training courses should be focused around teaching practical, hands-on defensive measures, not just theory alone. Look for training providers that provide practical instruction and opportunities for delegates to hone their skills after the training has ended.

How to measure bang for your buck

In cybersecurity, it’s often difficult to measure the value of your efforts. While it’s easy to keep track of how much you’ve spent, it’s much harder to put a clear monetary figure on the value it delivers for the business. Why? One reason is that we often use incorrect or insufficient terminology. Return on Investment is a misnomer because there is no financial return. A better way to see cybersecurity’s function in the business is as a form of cost avoidance: an investment made to prevent future costs. This can be described in other ways, such as preventative costs or risk mitigation costs, which are incurred to reduce or manage the risk of adverse events. This includes costs aimed at preventing potential future losses by implementing controls or safeguards. Determining how big your future cost will be, will also help you determine which security controls you should invest in now, and how much to invest over time.. But this also relies on variables, estimates and predictions. Want to estimate the cost of cleaning up after a ransomware attack? Find a similarly-sized business in your industry that has suffered one. How much was the ransom? How much was the cost of their incident response? Were they fined? This is the total cost you want to avoid. Don Gasparavicius, Group Information Security Officer at Claranet describes:

Such calculations will help you discern whether your cybersecurity budget in large enough to combat the risks you face, or help you make a case for a larger budget. At the end of the day, however, working within a limited budget means taking reasonable and proportionate measures to protect your systems and data. Fines issued under GDPR take this into account, but you must be able to demonstrate that the measures you have taken are indeed reasonable and proportionate.

Know thyself

As we have written elsewhere, taking a risk-based approach to implementing security will help you prioritise which actions to tackle first, and therefore how best to apportion your budget. But knowing your IT estate, your threat landscape, and the greatest risks to your business can be a challenge in itself. If you don’t know where to start, here are three things you can do first:

  1. Conduct an IT asset mapping exercise to understand what you must protect
  2. Build a risk register describing those IT assets which are highest value to you and those which present the greatest risk to your organisation if compromised
  3. Conduct scenario planning to establish your principal security concerns. Any scenario which negatively impacts the Confidentiality, Integrity or Availability of your highest-priority assets should be tested

If you don’t have the expertise to complete this yourself, partnering with an managed security service provider will help; understanding your industry, the threat landscape, your risk appetite and the value of the systems you are trying to protect will enable them to assist you in devising a clear strategy. To discuss your cybersecurity needs and challenges, including how to spend your budget, get in touch for a no-commitment 1:1 consultation. Whether it's a specific solution you need more information on or a question you can't find an answer to, we're here. To find out more, explore our cybersecurity services such as penetration testing, managed security services and training.