Today’s business leaders are grappling with two opposing challenges. On the one hand, present day global economic and recessionary pressures mean spending policies need to be reviewed and cash reserves built up. On the other hand, the volume and increasing sophistication of cybersecurity threats means the enterprise needs to maintain and bolster defenses to avoid being compromised.
This presents CIOs with a major conundrum. With cost now a universal business concern, the pressure is on to trim the fat wherever possible, and security is no exception. Yet currently there’s no shortage of advice telling CIOs to put security first and increase IT security purchases to counter the heightened cyber threat landscape.
While there’s an obvious argument for increasing cybersecurity investments to mitigate the rising plethora of attackers looking to exploit vulnerabilities, commercial realities mean that CIOs are being asked to do more with less.
The good news is that with proper planning and effective processes, it is possible to both save on costs and mitigate risks.
Double down on asset management
Good security practices don’t need to cost the earth. During times of budgetary constraint, it pays to invest in holistic actions that will reduce the prevalence of potential vulnerabilities that are ripe for exploitation.
Asset management is a key foundational area that can be addressed to minimize cyber risk. Maintaining an accurate and centralized inventory of all IT assets and tracking the lifespan of each IT asset is vital for ensuring that software patches and updates are applied in a timely manner. It also ensures that redundant or end-of-life assets can be appropriately decommissioned.
Knowing where hardware and software inventory is located and how it is protected makes it possible to identify misconfigurations and address potential security gaps. It also makes it easier to enforce security requirements, identify unmanaged devices, and evaluate which users that have access to critical systems don’t have protections like multi-factor authentication enabled.
Removing IT that no longer serves a purpose and updating old equipment and software prior to end of life is key to strengthening resources. With the right planning and good basic asset management practices in play, organizations will be able to put in place the controls that reduce any unnecessary exposure to risks.
Empower employees to become the organization’s first line of defense
It may sound counter intuitive but investing in training employees is another way to cut cybersecurity costs. In terms of resource, effort and outlay, the expense of putting in place a rigorous and continuous training programmed pales into insignificance when compared to the operational, commercial, and reputational cost associated with a breach.
The hard reality is that cybersecurity is as much a people problem as it is a technology problem. Last year phishing and malicious email attachments were the most common form of attack vector experienced by UK businesses. Opening or clicking on these emails has the potential to download malware or even take employees to websites that can be used to steal intellectual property or even money.
Any employee that is uninformed about even the most basic types of threats leaves an organization open to substantial risk. Ensuring everyone knows the latest cybercriminal ploys, is aware of their responsibilities with regards to good cyber practices and behaviors, and knows what to do when they encounter suspicious emails or other threat events, will help minimize the chance of a security compromise.
Rather than paying lip service to the task of training the wider workforce via emails and PowerPoint presentations that are easy to ignore, organizations should ideally invest in real-world training experiences that both motivate people to engage and put into practice what they learn. For example, running simulations that prepare employees for common exploits and gamified interactive training that makes learning more relevant and rewarding.
Making smarter security choices
The economic downturn is forcing organizations to make some tough decisions about spend. With cybercriminals waiting in the wings, concerns about whether it’s a false economy to make cuts in cybersecurity investments is a growing concern. However, investing in expensive security tools will be ineffective if organizations neglect putting the right foundational security practices in place.
When it comes to elevating organizational resilience, CIOs don’t need to choose between savings and safety. By reviewing processes, revisiting the basics, making the most of existing resources, and focusing on internal training, organizations can increase their security and digital resilience. Selectively deploying cybersecurity tools and product kits can then complement these good practices in a highly cost-effective way.
In a downturn, it pays to reset cybersecurity priorities and review how and where finite resources can best be deployed. Unfortunately, all too often organizations conflate good security practices with good security purchases, in the misbegotten belief that, somehow, it’s possible to “buy security”.
Ultimately, achieving cyber resilience involves people, processes, and technology. In times of financial restraint, prevention is better than cure. Focusing spend on reviewing practices like asset management in a bid to minimize attack vectors, assessing if security policies are clearly articulated and effectively implemented, and having documented procedures for things like endpoint security and identity and access management will be mission critical. So too will be a training programmed that builds true cyber resilience across the entire workforce.