Staying Lean with Cybersecurity Efforts when Budgets are Tight

SUMMARY:

• Cybercrime is projected to increase amid declining economy and security budget cuts.
• Direct and indirect cost of a cyberattack. Is cybersecurity an expense or an investment?
• Key strategies to cut spending without compromising security.

2022 is becoming the year that is drastically changing the cybersecurity landscape. Declining economy is affecting all industries and their operations, and it has not left the cybersecurity sphere unaffected. We are witnessing sweeping layoffs and budget cuts. The fears and anticipation of a recession completely overthrew the 2021 predictions for the state of the information security industry. Instead of the anticipated prioritization of organizational cybersecurity and increase in its investments, the companies are tightening the budgets.

But will it save organizations money and help get through the tough economic times, or can it only become detrimental to organizations?

In this article, we discuss the cybersecurity in the times of economic decline, taking a close look at the operational realities under the tight budgets. We also go over why cybersecurity does not have to be expensive, but it must be smart, and which solutions are available to effectively prioritize the cybersecurity and protect your business operations and customers.

Fueled by economy taking a downturn worldwide, we are seeing a rapid increase in cybercrime, and it is evolving drastically and fast. Ransomware, persistence, identity theft, supply chain disruptions are all on the rise. For example, according to the IBM report, ransomware attacks have grown by 41% in 2022.

At the same time, as the technology progresses and organizations’ online presence is becoming more complex, cyberattacks are getting more sophisticated and now targeting not only large corporations, but SMBs. The hunt for the valuable data as well as compensation is leaving no organization safe. It is no longer if a business falls victim to an attack, it is when.

Average cost of a data breach or cyberattack for a small business is $120K to 1.24 million. It goes up to $4 million for large corporations, and that’s not accounting for brand damage and reputational costs overtime. Globally, it is projected that cybercrime will cost over $10 trillion annually by 2025.

So, taking into consideration economic decline, cybercrime trends, and the expansion of organizational assets online and beyond local networks (cloud infrastructure, endpoints, IoTs, work from anywhere culture, applications, etc.) companies must find a way to prioritize cybersecurity when planning their budgets.

Before we dive into the solutions to securing your organization and assets, let’s break down what expenses and costs a company can incur as a result of a cyberattack.

As we can see, cybercrime cost to the business can be very extensive and not limited to a ransom payout. However, according to the PwC report , only 43.1% of companies worldwide feel like the inherent cyber risks related to business and digital operations are well mitigated.

CISOs and enterprise leaders are faced with multiple choices of standard security frameworks that can be implemented, complexity of assembling IT and SOC teams, numerous tools to obtain and correlate, outsourcing solutions, as well as shrinking IT budgets. While, on average, organization’s cybersecurity budget is only 5-10% of the total IT budget ( PwC report ).

So, how can company leaders leverage the growing cyber risks and stay within tight budgets in the wake of the declining economy? We are seeing a gap between the demand on the security officers to have a strong security posture and the allocated budgets.

Going with the one-size-fits-all cybersecurity frameworks, recruiting the talent, training and managing traditional Security Operations Center, acquiring the necessary tools for monitoring the network and endpoints, etc., can be very costly and time-consuming for organizations. For SMBs it can become an unattainable goal as, for example, the cost of operating an in-house SOC starts at roughly one million.

In the cyber-ocean of security solutions, technology, and numerous options, VerSprite is here to navigate you through and help you find the way to your organization’s strongest security, while keeping it lean and staying with the budget.

Cybersecurity is essential to any organization, whether it is a small business or a large enterprise. However, does it have to be expensive? Greater security spending does not necessarily entail better cybersecurity posture. Let’s take a look at the steps companies can take to meaningfully improve their cybersecurity posture.

Key Cost-Cutting Strategies:

• Prevention over reaction. Actionable assessment of the cybersecurity posture – Organizational Threat Model (OTM)

First and foremost, whether you are an emerging business or a well-established enterprise, it is imperative to have a clear understanding of the organization, its operational realities and assets, as well as the threat actors’ motivations for possible attacks. Meaningful security framework is impossible without those key factors. We discuss the most actionable way to perform such assessment in the latest OTM article.

Developing Organizational Threat Model is paramount to prioritizing threats and vulnerabilities and focusing company’s efforts on effective and cost-efficient mitigation of risks. VerSptite’s OTM is a threat model that provides a clear actionable guidance.

It is a 7-stage process, inspired by the application threat modeling methodology, PASTA, that is applied at an organizational level.  Much like application threat models, the intent is to have the risks proven by various important contexts – business impact, likelihood, and the effectiveness of native countermeasures (or controls) that help reduce inherent risk levels and, consequently, help prevent expenses associated with a successful cyberattack.

• Taking a lid off the SecOps. Re-evaluation of the company’s current security operations, tools, and procedures

Once the course for the cybersecurity framework is established, the next step is making sure operations and tools are working in-sync and are correlated to serve the company’s security objectives. Investing into cybersecurity tools tends to plunge organizations into a costly cycle of spending more time and resources on solutions, yet not experiencing parallel increase in security.

When it comes to the cybersecurity framework – less is more. It is important to understand and choose security measures and tools that directly support business operations without creating numerous data flows and alert fatigue among the security team.

• Centralize all the company’s security operations and cut cybersecurity spending by going with Managed Security Service Providers (MSSPs).

Outsourcing security operation centers to professional companies can help save money and time. Like VerSprite’s virtual SOC, operation centers take on not only employing experts, acquiring industry’s top tools, and providing continuous monitoring, but deploying and correlating tools to the particular needs of an organization. Virtual SOCs should offer fully aggregated and centralized management that is tailored to meet your company’s security goals and business objectives. Outsourcing allows companies to gain access to a wider range of security expertise and tools without the investment of costly resources and time.

Having a complete tech stack vSOC provides expert analysts, top industry tools integrated into the security processes, custom threat intelligence, and even compliance screening. It is a modern way to ensure your enterprise’s security in a cost-efficient way. The cost of employing a virtual SOC is estimated to be up to 75% less than of its in-house equivalent.

Leadership, whether the board, C-suite or company owners, has a responsibility to guide the company in the right direction, and that includes protecting the company from threats. Protection and prevention need to be a part of every enterprise’s strategy and budget. Nowadays, with automation and outsourcing solutions, smart cybersecurity is a necessity and reality for businesses of every size and budget.