Building a cybersecurity strategy on a constrained budget

A graphic image of a cloud set in a digital background with shield next to it
(Image credit: Shutterstock/ZinetroN)

Businesses are experiencing progressively higher volumes of cyber attacks year-on-year. Generative AI is increasing the sophistication of cybercriminals’ tactics, while the noisy threat landscape is creating constant challenges for businesses to overcome. This is exacerbated by tighter cybersecurity budgets, which continue to be a challenge for companies building their security strategies. In fact, iomart’s latest security report found that 27% of organizations admitted to thinking their budgets are inadequate to fully protect themselves.

With the number of incidents increasing, the UK government has issued several warnings for businesses to tighten their security due to the heightened threat of nation-state attacks. In our research, we found that, while organizations already allocate approximately £40,190 toward vulnerability assessments, pen testing and red team arrangements, these aren’t always enough to deal with the sophistication of attackers. And now, more than ever, it’s vital that decision makers grasp the bigger picture of the threat environment and how they can best approach building a robust strategy that is both reactive and proactive. However, against today’s challenging economic backdrop, geopolitical tensions and the aforementioned introduction of AI and ML models, aligning budgets to match the growing need for security is a major headache for cyber security leads.

While not all cyber strategies will require enormous budgets, leaders should be increasing their spending on protecting their organization and its assets where they can, especially as less than half (49%) of security professionals have confidence in their business’ ability to handle various threats such as phishing and malware, while even fewer (25%) believe they could tackle ransomware. This alone highlights the need for increased budgets to meet cybersecurity goals, particularly with rising insurance premiums and substantial costs for remediation.

Matt Dowson

Cyber Security Lead at iomart.

Laying the groundwork

If a business has done the necessary groundwork, creating a strong cybersecurity strategy should not break the bank. In fact, most organizations will already have the correct technology or sufficient budget to secure themselves; they just may not be using it efficiently.

Cloud and automation, for instance, are foundational to any cyber strategy. Our research indicates that 74% of organizations already rely on private cloud, while 65% lean on automation. Private cloud allows organizations to not only store all their information in one location but also limit access to documents while having greater visibility and auditing powers over confidential data. Using the cloud provides automatic logs into user access and edits to any documents, which helps security teams in responding to security incidents as they can see how information is being handled.

Alongside this, automated solutions, such as SIEM monitoring, aids organizations in staying on top of any potential threats or suspicious behavior. By using automated monitoring and resolution of security incidents, organizations can more easily filter through the noise of alerts and gain visibility into what’s going on in their networks. These are just two existing technologies that most organizations already have in use. They provide a good base for a security strategy, as they tend to be cost effective and secure. That being said, it’s vital that organizations know how to best allocate their budgets and which technologies and insurance to invest in. This is where understanding risk exposure comes in.

Maximizing security budgets

In order to get the most out of their budgets, it’s crucial that business and security leads understand the threat landscape and the risk they’re exposed to. This can be done by conducting a risk assessment to assess the likelihood and impact of an attack while thinking about the types of threat actors that may be targeting your business and why. This will allow an organization to fully assess the people, processes and technologies required to mitigate and limit the threat to their business, while also adhering to the evolving requirements mandated by cyber insurance policy providers.

Similarly, with rising insurance premiums, business leaders should ensure they are not paying for excess cover that they may not need, while adhering to the qualifying criteria necessary for coverage. Typically cyber insurance policies are now mandating the following to be in place:

  • Strong access controls
  • Regular vulnerability assessments
  • Incident response plans employer/user awareness training
  • Multi-factor authentication (MFA)
  • Encryption Privileged Access Management (PAM)
  • Continuous monitoring

By understanding their risk exposure, organizations are able to effectively analyze what type of coverage they would benefit from, and must then allocate the correct budget to be able to meet the specified criteria.

The biggest vulnerability

It’s not unknown that people are one of the largest causes for cyber incidents. As a matter of fact, 95% of cybersecurity breaches can be attributed to human error. And this can be as simple as not following password best practices or accidentally clicking on a phishing link. Fortunately, our report found that over half (53%) of business executives agree that regular employee training is crucial to preventing human-related breaches. Adequate training will raise awareness of the types of threats that exist, as well as how employees can help identify and prevent them.

Our data also found that 63% of organizations have already invested in employee training over the past two years, and 55% plan on expanding their cyber fluency to c-suite executives, however, unless all organizations institute thorough training, the vulnerability will remain. What organizations have to remember is that there is a possibility of an attack spreading across a supply chain; even the smallest mistake could prove grave for organizations within that chain.

Using existing technologies, training employees and picking the right premiums are the core for a strong security strategy. In a perfect world, organizations would allocate larger budgets toward a security operations center (SOC), and proactive monitoring and incident response. Being reactive does not allow organizations to stay on top of the activity within their networks and could leave them blindsided once it’s too late. Ultimately, cybersecurity must not be an oversight and with the right strategy and understanding of where their risk lies, organizations can better build and maintain a secure cybersecurity strategy to protect themselves against the newest threats, even if they are working with budgetary constraints.

We've featured the best business VPN.

Matt Dowson is Cyber Security Lead at iomart.