Luke Dash, CEO of ISMS.online, explains how the impending recession will affect cyber-security and what businesses can do to make cuts responsibly.
The UK has now experienced four consecutive months of contracting economic activity and the Bank of England is anticipating a “very challenging” two-year recession. This unfortunate economic backdrop has many implications for businesses, such as postponing ambitious growth plans or necessitating cutbacks.
Unfortunately, cyber-crime also remains a real risk to business success, and it is an area that must be cut with caution. On average, organisations currently spend between 4% and 15% of their annual IT budgets on cyber-security. This is a considerable cost centre, but it is downright modest in comparison to the potential costs when something goes wrong.
Consider, for example, the case of KP Snacks. The manufacturer – known for beloved treats like KP Nuts and Hula Hoops – was attacked by a Russian cyber-crime group in January. The ransomware attack caused supply chain disruption for months and threatened the organisation with the release of sensitive documents.
The reported average cost of a data breach is over £3m, but costs can be much higher – and that’s before considering the reputational damage associated with a cyber-attack. In hours, an attack can undermine the trust that an organisation has spent years establishing, and convincing customers and clients that their data will be safe after an attack is an uphill battle.
There are also costs associated with regulatory action. Recently, for example, the parent company of fashion brand Shein was fined almost US$2m by the New York Attorney General for its poor handling of a data breach. While this hasn’t happened to a major company in the UK recently, it may just be a matter of time.
Although the government is working to crack down on cyber-crime – it recently launched the largest anti-fraud operation in history to take on a banking scam – its approach is often retroactive. The best way to avoid the negative consequences of a cyber-attack is to prevent the cyber-attack altogether.
Unfortunately, a robust defence isn’t cheap. As cutting costs becomes necessary for many organisations, here are considerations for reducing spend without compromising security.
Understanding: the first step to cutting costs responsibly
The first step to making reasonable adjustments to cyber-security spend is to understand the setup and risks as they exist today. In anticipation of a worsening economic climate, now is a good time for decision-makers to revisit the business’s asset portfolio and risk profile.
This will be an exercise in asking questions. Where is cyber-security spend going today? Is it working? In what areas could it be scaled back without increasing risk? What are the biggest threats? What are the best ways to counter those threats?
Answering these questions is often challenging for organisations since it requires a joined-up approach that brings together the C-suite, tech experts, and the finance function.
This interdepartmental conversation is essential to understanding where the budget is really going. It’s easy for organisations to invest in the wrong areas and spend on tools and solutions that provide overlapping capacity, for example. Another common mistake is to pay for defences to threats that are a minimal risk to the business.
Simple but effective
Collaborating across the organisation is also an opportunity to simplify the business’s system. Consider what tooling and infrastructure is necessary and whether simpler alternatives could deliver the same results. Identifying and eliminating inefficiencies frees up funding, and some can go back into cyber-security, even if overall costs are being cut.
Eliminating overly complex systems also has significant security benefits. A maze of non-standard systems that have built up over the years is complex to maintain and requires a high level of familiarity. This can pose a challenge when it comes to reacting effectively to a crisis. An overly sensitive system can also result in alert fatigue, which can lead to security issues of its own.
To limit the accumulation of systems and processes, businesses can apply a zero-based budgeting approach to cyber-security.
Fortunately, organisations don’t need to approach cyber-security from first principles. There are widely accepted standards – such as those from the International Organization for Standardization (ISO) and the American National Institute of Standards and Technology (NIST) – that outline an appropriate level of security for organisations of different sizes and in different industries.
Demonstrating adherence to these standards can also offer a significant advantage when competing for business, since prospective customers and clients value organisations which demonstrate a commitment to security.
Maximising buy-in and retaining people
Another important dimension of maintaining an effective security system is to ensure that decision-makers understand its value. Executives looking at costs may see high spend on cyber-security and be tempted to make sharp cuts.
To avoid this, tech stakeholders must work closely with the CFO to ensure that they can present a strong, accurate case for a reasonable cyber-security budget. They could consider, for example, the downstream benefits of effective security for sales and customer satisfaction or highlight the risks by pointing to recent breaches of competitors.
The other human element to consider is the immense value of internal expertise. Qualified information security experts are hard to come by, and organisations that are looking to making cost savings should be careful to avoid driving them away with unreasonably harsh cuts.
Staying safe on a budget
A tightening economy will necessitate cuts, but decision makers must be cautious not to cut the defences that keep the business safe. Making responsible choices when adjusting cyber-security spend depends on a clear understanding of the risks and status quo, working collaboratively across the organisation, and communicating effectively with the people making the final call.
Businesses that can master these will be able to maintain a constant level of security while carefully reducing spend.
Luke Dash is CEO of ISMS.online
Main image courtesy of iStockPhoto.com
This article was originally published on: www.teiss.co.uk/cyber-risk-management/cutting-cyber-costs-responsibly-staying-secure-in-a-recession
© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543