Making the most of a limited cyber-security budget

Jamie Akhtar at CyberSmart offers advice to SMEs wishing to stay cyber-secure during an economic downturn

 

Recession disproportionately impacts the little guy. This is a sad fact of life.

 

While large corporations undoubtedly feel the pinch, financial crises, such as the current cost of living crisis, are an irrefutable, existential threat for small and medium enterprises (SMEs).

 

In the scramble to cut budgets and keep insolvency at bay, it’s understandable that cyber-security spending might be first in the firing line. That, however, would be a mistake.

 

It’s important to remember that tumultuous economic landscapes are a breeding ground for crime. In fact, as the 2009 recession reached its zenith, the UK saw a staggering 40% increase in cyber-crime.

 

However, this doesn’t mean that every organisation needs the most advanced, expensive antivirus software or an in-house cyber-security team. Most cyber-attacks are relatively unsophisticated, and only succeed because a business is running on outdated software, unpatched systems, or generally aren’t practising proper cyber-hygiene.

 

By taking a thoughtful, informed approach to cyber-security, it’s possible for SMEs to protect themselves without breaking the bank.

 

Protect your crown jewels

Your cyber-security policy should focus on four key areas - network, databases, documents, and employee devices. These are your crown jewels. They are tempting for cyber-criminals and disruption in any one of these areas could cripple your business.

 

Even if you are forced to slim down your cyber-security budget, make sure these areas are protected.

 

Network

Your network ensures the efficacy of hybrid working. It connects all of your endpoints - on-premises or otherwise - ensuring that your staff can work effectively from around the globe. If a hacker is allowed to get inside your network, they will have access to everything, including sensitive documents, company and customer data, and intellectual property.

 

Fortunately, there are some easy, low-budget steps you can take to ensure your network is protected:

• Install a network firewall to filter network traffic
• Use a virtual private network (VPN) to encrypt network traffic
• Segment your network to remove single points of failure vulnerabilities
• Regularly update your router’s firmware 

Databases

Consumer data sells for millions on the dark web, and if your database defences are weak, hackers can and will exploit them. If your database is compromised you will not only have to throw money at recovering or replacing data, but your customers will lose faith in you, you’ll have to fight your way out of a public relations nightmare, and you’ll likely face major regulatory fines - some of which reach millions of pounds.

 

However, securing databases isn’t difficult. Follow these steps to protect your data: 

• Encrypt your data - this can be done whether you use Windows or Google Docs
• Install identity management software to verify access requests and ensure users can only access the data they need
• Monitor and update applications to patch vulnerabilities
• Use secure passwords and multi-factor authentication
• Configure your cloud properly – don’t assume the default setup is correct

Documents

Surprisingly, it isn’t cyber-criminals that pose the biggest threat to your documents - it’s your employees. Staff accidentally corrupting or deleting files is both common and serious; it takes time and money to recover or recreate lost documents.

 

Keep in mind, however, that while hackers are less of a threat to your documents than your staff, particularly sensitive documents are a lucrative target for cyber-criminals, and must be protected.

 

To protect your documents from internal and external threats, make sure you:

• Backup your documents regularly using the 3-2-1 rule - that means creating three copies of your data, using two different storage devices, and keeping one of your back-up copies off-site
• Set permissions to prevent accidental deletion
• Password protect sensitive documents

Employee devices

Hybrid working, while providing huge benefits, has seriously complicated cyber-security. Attack surfaces have grown, an increased onus is placed on employees to protect themselves and their employer, and an employee laptop left on a busy commuter train now poses a threat to entire organisations.

 

To protect your employee devices, it’s absolutely essential that you:

• Use secure passwords and multi-factor authentication to prevent unauthorised device and account access
• Regularly update antivirus software to protect against common cyber-threats
• Enable remote data wiping so administrators can delete sensitive data from lost or stolen devices
• Install full-disk decryption on company devices so hackers can’t access the hard drive without the password
• Run cyber-security awareness training to instil best practices in your team

Get the most out of your investment

Now that you know what areas of your business must be protected, you can start thinking about how to save money. Here are three quick tips to help you maximise your cyber-security budget.

 

1. Think before you buy. 

Don’t purchase the first cyber-security tool you come across. Don’t be sucked in by good marketing, a great elevator pitch, or a persistent salesperson. Make sure you buy the tool that’s right for you; most SMEs simply do not need everything the most advanced cyber-security software offers.

 

Before your purchase a solution, look deeper at:

• The features it offers
• Management and maintenance requirements
• Monthly costs
• Support services

2. Consolidate your tools. 

Despite what the market suggests, when it comes to cyber-security, less is more. In fact, research from the Ponemon Institute even found that enterprises with over 50 cyber-security tools are less able to detect and respond to attacks than those with fewer solutions.

 

In short, more tools means more complexity. You’ll have to manage relationships with multiple vendors, process multiple invoices, and run multiple onboarding and training sessions for each tool. There’s also a financial impact of running too many tools - your solutions will have features that overlap, meaning you’re essentially paying for some features twice.

 

While it’s impossible to find a single solution that does everything, a review of your cyber-security solutions will likely reveal opportunities for consolidation and help trim the fat from your budget.

 

3. Get Cyber Essentials certified 

Last but not least, protecting your SME from cyber-crime is about building a solid baseline that will ward off the most common threats. You will never be able to create an action plan for every eventuality.

 

The UK government’s Cyber Essentials scheme aims to guide SMEs in creating that baseline - without the cost of hiring internal experts. By implementing the five simple technical controls, and getting certified, your business will be protected from up to 98.5% of cyber-threats.

 

---

 

Jamie Akhtar is CEO and co-founder of CyberSmart

 

Main image courtesy of iStockPhoto.com