Staying Lean with Cybersecurity Efforts when Budgets are Tight

SUMMARY:

• Cybercrime is projected to increase amid declining economy and security budget cuts.
• Direct and indirect costs of a cyberattack. Is cybersecurity an expense or an investment?
• Key strategies to cut spending without compromising security.

2022 is becoming the year that is drastically changing the cybersecurity landscape. A declining economy is affecting all industries and their operations, and it has not left the cybersecurity sphere unaffected. We are witnessing sweeping layoffs and budget cuts. The fears and anticipation of a recession ultimately overthrew the 2021 predictions for the state of the information security industry. Instead of the anticipated prioritization of organizational cybersecurity and increase in its investments, companies are tightening budgets.

But will it save organizations money and help them get through the challenging economic times, or can it only become detrimental?

In this article, we discuss enhancing your cybersecurity posture during economic decline, taking a close look at the operational realities under tight budgets. We also go over why cybersecurity does not have to be expensive. Still, it must be smart, and which solutions are available to prioritize cybersecurity and protect your business operations and customers.

Fueled by the economy taking a downturn worldwide, we are seeing a rapid increase in cybercrime, evolving drastically and fast. Ransomware, persistence, identity theft, and supply chain disruptions are all rising. For example, according to the IBM report, ransomware attacks have grown by 41% in 2022.

At the same time, as technology progresses and organizations’ online presence becomes more complex, cyberattacks are getting more sophisticated and targeting not only large corporations but SMBs. The hunt for valuable data and compensation is leaving no organization safe. It is no longer if a business falls victim to an attack; it is when.

The average cost of a data breach or cyberattack for a small business is $120K to 1.24 million. It goes up to $4 million for large corporations, and that’s not accounting for brand damage and reputational costs over time. Globally, cybercrime is projected to cost over $10 trillion annually by 2025.

So, considering economic decline, cybercrime trends, and the expansion of organizational assets online and beyond local networks (cloud infrastructure, endpoints, IoTs, work-from-anywhere culture, applications, etc.), companies must find a way to prioritize cybersecurity when planning their budgets.

Before we dive into the solutions to securing your organization and assets, let’s break down what expenses and costs a company can incur due to a cyberattack.

As we can see, cybercrime costs to the business can be pervasive and not limited to a ransom payout. However, according to the PwC report, only 43.1% of companies worldwide feel like the inherent cyber risks related to business and digital operations are well mitigated.

CISOs and enterprise leaders face multiple choices of standard security frameworks that can be implemented, the complexity of assembling IT and SOC teams, numerous tools to obtain and correlate, outsourcing solutions, and shrinking IT budgets. On average, an organization’s cybersecurity budget is only 5-10% of the total IT budget ( PwC report ).

So, how can company leaders leverage the growing cyber risks and stay within tight budgets in the wake of the declining economy? We see a gap between the demand for security officers to have a strong security posture and the allocated budgets.

Going with the one-size-fits-all cybersecurity frameworks, recruiting talent, training and managing traditional Security Operations Centers, acquiring the necessary tools for monitoring the network and endpoints, etc., can be costly and time-consuming for organizations. For SMBs, it can become an unattainable goal as, for example, the cost of operating an in-house SOC starts at roughly one million.

In the cyber-ocean of security solutions, technology, and numerous options, VerSprite is here to navigate you through and help you find the way to your organization’s most robust security while keeping it lean and within the budget.

Cybersecurity is essential to any organization, whether a small business or a large enterprise. However, does it have to be expensive? Greater security spending does not necessarily entail a better cybersecurity posture. Let’s look at the steps companies can take to improve their cybersecurity posture meaningfully.

Key Cost-Cutting Strategies:

• Prevention overreaction. Actionable assessment of the cybersecurity posture – Organizational Threat Model (OTM)

First and foremost, whether you are an emerging business or a well-established enterprise, it is imperative to have a clear understanding of the organization, its operational realities and assets, and the threat actors’ motivations for possible attacks. A meaningful security framework is impossible without those key factors. We discuss the most actionable way to perform such an assessment in the latest OTM article.

Developing an Organizational Threat Model is paramount to prioritizing threats and vulnerabilities and focusing the company’s efforts on effective and cost-efficient mitigation of risks. VerSptite’s OTM is a threat model that provides clear, actionable guidance.

It is a 7-stage process inspired by the application threat modeling methodology, PASTA, applied at an organizational level.  Much like application threat models, the intent is to have the risks proven by various critical contexts – business impact, likelihood, and the effectiveness of native countermeasures (or controls) that help reduce inherent risk levels and, consequently, help prevent expenses associated with a successful cyberattack.

• Taking a lid off the SecOps. Re-evaluation of the company’s current security operations, tools, and procedures

Once the course for the cybersecurity framework is established, the next step is ensuring operations and tools are working in-sync and correlated to serve the company’s security objectives. Investing in cybersecurity tools tends to plunge organizations into a costly cycle of spending more time and resources on solutions yet not experiencing a parallel increase in security.

When it comes to the cybersecurity framework – less is more. Understanding and choosing security measures and tools that directly support business operations is essential without creating numerous data flows and alert fatigue among the security team.

• Centralize all the company’s security operations and cut cybersecurity spending by going with Managed Security Service Providers (MSSPs).

Outsourcing security operation centers to professional companies can help save money and time. Like VerSprite’s virtual SOC, operation centers employ experts, acquire the industry’s top tools, provide continuous monitoring, and deploy and correlate tools to an organization’s needs. Virtual SOCs should offer fully aggregated and centralized management tailored to your company’s security goals and business objectives. Outsourcing allows companies to access a broader range of security expertise and tools without investing costly resources and time.

A complete tech stack, vSOC provides expert analysts, top industry tools integrated into the security processes, custom threat intelligence, and even compliance screening. It is a modern way to ensure your enterprise’s security cost-efficiently. The cost of a virtual SOC is estimated to be up to 75% less than its in-house equivalent.

Leadership, whether the board, C-suite, or company owners, is responsible for guiding the company in the right direction, including protecting the company from threats. Protection and prevention must be part of every enterprise’s strategy and budget. Nowadays, with automation and outsourcing solutions, upgrading your cybersecurity posture is a necessity and reality for businesses of every size and budget.