With nearly a third of companies now falling victim to cyber-attacks, organizations know they need to invest in adequate defenses. But they don’t always have a big budget to do this. The good news is there are several options for businesses that need to be efficient and make the most of what they already have. Here, we consider how businesses can guard against the risk of cybersecurity threats without breaking the bank.
Maximizing cyber security ROI
Creating a robust cyber strategy for the unique needs of your business is vital to ensure you are focusing your attention on what’s most significant. You should start by identifying the purpose and goals of your organization.
For example, if you are a food manufacturer, your purpose may be to supply supermarkets with pre-packaged sandwiches, and your goal is to produce 200,000 packages per day. If that processing facility was to go offline for one day due to an attack, what would be the impact of failing to produce those sandwiches be? This might include a revenue loss of £100,000 per day, reputational damage, legal fees and the potential for retailers to exercise contract break clauses.
By imagining your worst day, you can start to get a clearer picture of what systems are critical to business operations and what downtime you can afford. This will help you to identify where investment and resources are most needed.
Senior Technical Consultant at technology company Probrand.
Protecting your key assets
The next step is to understand if the defenses you have in place currently can adequately protect critical systems, networks and data. To really put this to the test, consider using an internal or external security team to attack those systems then record what happens. You’ll want to know:
- How you identified the attacks?
- What contained or eradicated the attacks?
- What was the response / aftermath?
This exercise can reveal your strengths and weaknesses, when it comes to the technologies, people and processes you have in place to protect the business.
Technologies – Learnings from these types of exercises nearly always reveals ways to optimize existing tools and technologies and operate more efficiently. For example, you may discover you have duplicate tools and there is an opportunity to cancel contracts and reinvest. In addition, there may be underutilized native security settings you could be taking greater advantage of – such as a built-in email filter to protect against spam and phishing emails.
You may find software updates and patches are not up-to-date. This is easy win to prevent vulnerabilities as many of these can be automated, such as with the best patch management software. It may also be that configuration improvements can help fill any gaps or weaknesses you may have identified.
People – Implementing measures that encourages staff to adopt a ‘zero trust’ mindset will help to minimizes the chance of an attack being successful. There are several low-cost activities businesses can take to create this strong security culture.
Much like you would review the tools and technologies in your organization, it is well worth spending time to review what skills exist within the security and IT teams, as well as the wider business. Are there opportunities to spread knowledge and cross train staff? Knowhow can be shared in many ways. This may be through lunch and learn events or more formal training and simulations. This does not need to be expensive. There are also a number of free resources available including Dracoeye which can be used by teams to search and identify any security threats.
In addition to training, organizations need to focus on creating a culture where staff are encouraged to report suspicious activity without fear of “getting it wrong.” To aid this, consider using a dedicated portal where staff can share any issues and where anything immediately dangerous can be escalated. The worst scenario is where staff are too afraid to say anything. You want people to feel they are in an environment where they can speak up without fear or repercussion.
Processes – Finally, it’s important to look at the processes and solutions you have in place if the worst should happen. This is all about planning. It’s about knowing how each part of the business will keep functioning until a clean-up can be carried out. Do you understand what your legal obligations are in terms of informing customers? Depending on the nature of the breach, you may also need to inform authorities, such as the Information Commissioner's Office (ICO) if based in the UK. Staff will always feel better if they know there is a playbook and a plan for each scenario.
By following these steps, businesses can make more of what they have and identify opportunities to redistribute budgets and make immediate savings. The biggest victory however is having an effective cyber strategy that the businesses is confident in. This will vastly reduce the risk of financial and reputable damage and allow the business to continue to deliver on its goals.
We've rated the best Zero Trust Network Access Solutions.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
