What to Include in a Cybersecurity Budget

The small business sector has become a prime target for cybercriminals in recent years, with a significant surge in cybercrime incidents. Studies indicate that nearly 75% of small businesses across various industries encountered a spike in cyberattacks, representing a staggering 238% increase compared to previous years.

Many small businesses fell victim to distributed denial of service threats, while targeted ransomware and extortion attacks exploited vulnerabilities in applications and Internet of Things (IoT) devices. Even seemingly unrelated aspects like stimulus checks and unemployment benefits became avenues for cybercriminal activities.

Regrettably, this concerning trend shows no signs of abating. As small businesses strive to protect themselves from malicious actors, they often face the challenge of limited budgets. Consequently, how do these businesses make informed decisions on how to allocate their security resources?

The initial crucial step lies in conducting a vulnerability assessment. Small businesses must identify their infrastructure weaknesses to ensure that their security funds are allocated to the areas where they are most needed.

Vulnerability Assessments

NIST defines vulnerabilities as weaknesses in system security procedures, internal controls, system infrastructure, or implementation that enables threat sources access to a system. Unless vulnerability testing is performed, many weaknesses remain undetected until a hacker compromises the system.

Vulnerability assessments should test a system's ability to defend against an external cyberattack. They should highlight internal weaknesses that could lead to a network compromise. The goal is to identify vulnerabilities and determine how to remediate the weaknesses. Most assessments deliver a list of vulnerabilities with a threat level to indicate those that should be addressed first.

Vulnerability assessments are a description of a system at a specific time. It does not identify possible weaknesses when a firewall is reconfigured or software updates are applied. Organizations should budget for ongoing vulnerability testing to ensure their systems are secure.

Distributed Denial of Services (DDoS)

DDoS attacks occur when massive amounts of traffic, packets, or requests are sent to a website preventing it from responding to user requests. The attack comes from multiple systems and usually results in the website or service going offline. Initially, these attacks were viewed as a nuisance rather than a threat. Today, DDoS attacks impact the bottom line as more and more companies conduct business over the internet.

DDoS attacks may be: 

• Volume-based. These attacks attempt to flood the website or server with enough traffic to overload the system and prevent it from responding to user requests.
• Protocol-layer. Other DDoS attacks target network infrastructure by sending volumes of data packets that overwhelm the system.
• Application-layer. Hackers flood a site or server with malicious requests that tie up resources, causing the service to be unavailable.

No matter the attack, the goal is the same. Overwhelm online resources, so user requests cannot be serviced. Bots have become the threat vector of choice for DDoS attacks. That's why some websites attempt to separate users from bots to protect against possible attacks.

Ransomware

The Cybersecurity and Infrastructure Security Agency (CISO) defines ransomware as:

an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable until a ransom is paid.

As a form of malware, ransomware exploits known vulnerabilities to gain access to a system. Once inside, it encrypts resource conflicts such as system backups, extracts information, and encrypts data on local storage devices. Today's cybercriminals not only hold companies hostage, but they also extort money from individuals whose data they have copied by threatening to post the information on the Dark Web.

Equally important is establishing a backup schedule. Using incremental and full backups means organizations lose minimal data and their systems can be easily restored. Backups are not only important to protect against cyberattacks; they should be part of every disaster recovery plan.

Budgets should include tools or services that can protect against ransomware attacks. Even unsuccessful attacks result in added costs as compliance standards often have reporting and remediation requirements.

Employee Training

Employees are a company's first and last line of defense. No matter how often they're reminded, employees use weak passwords, share credentials, and click on links without thinking. Since 94% of ransomware is sent through emails, businesses should invest in staff training. Learning ways to maintain good cybersecurity hygiene can make the difference between a compromised or a secured system.

Phishing and smishing are two ways back actors gain access to a system. Both target employees. Keeping employees informed about the latest cyberthreats raises awareness of possible phishing attempts or social media tactics. When staff is trained, they learn how to identify suspicious emails or questionable links and attachments. 

Endpoint Security

When everyone worked in the office, workstations or laptops resided behind the firewall. As long as the infrastructure remained strong, endpoints behind the firewall were considered safe. With the increase in IoT devices and remote workers, these connections no longer reside behind a firewall. Other security monitoring tools are needed to ensure that a company's endpoints are secure. 

Hackers target endpoints because they are often the weakest link in a cybersecurity framework. Many organizations do not have visibility at their endpoints, making it impossible to know what occurs at the edge. When employees work from home, organizations are at the mercy of the employee regarding cybersecurity. Unless companies provide the equipment, they can't dictate how an endpoint must be secured.

Adding multi-factor authentication (MFA) and virtual private networks (VPNs) can help secure a network and should be part of any cybersecurity budget. Service providers also provide monitoring and management assistance which may be more cost-effective than doing it in-house.

In addition to these security-specific threats, organizations should consider budgeting for compliance and employee training. Both areas have a significant impact on the security posture of an institution.

Compliance

Cybersecurity, as it pertains to compliance standards, should be a part of every budget. Depending on the specific segment of the industry, compliance regulations can require additional security. For example, financial institutions and wealth management firms need to consider:

• Common Reporting Standard (CRS). Firms must report non-resident account holders to local tax authorities.
• Base Erosion and Profit Shifting (BEPS). Accountability requirements for investment compliance to minimize tax avoidance.
• Know Your Customer (KYC). These guidelines outline reporting requirements that institutions must meet to help prevent funding of terrorist activities, money laundering, and fraud. 
• Gramm-Leach-Bliley Act. Financial institutions must explain how consumer information is shared and how they safeguard sensitive data.

Privacy laws such as the European Union's  General Data Protection Regulations and California Consumer Privacy Act (CCPA) have added additional requirements for protecting and sharing consumer data that may increase the cybersecurity requirements.

Personnel

No matter how comprehensive a security plan is, it doesn't work without people. As part of budgeting, organizations need to assess their existing IT resources. Do they have the right expertise to implement the cybersecurity requirements? Do IT employees need training? How much will that add to the budget?

If additional staff is needed, businesses will need to include costs for recruitment as well as salary and benefits. Adding personnel may be cost-prohibitive for startups and small to mid-sized businesses because of the ongoing labor shortage. Salaries for IT personnel can reach six figures, depending on location. 

Balancing cybersecurity with financial constraints is always a challenge. Sometimes the financial resources are simply not there. That's where security-as-a-service solutions can help. Lower up-front investment and minimal personnel requirements make cloud-based offerings attractive. Before finalizing a budget, contact Havoc Shield for a demo of their cloud-based cybersecurity solution.