With national news and anecdotes regularly featuring stories of cyberattacks on businesses of all sizes, small businesses are planning their budgets with cybersecurity in mind. While implementing effective cybersecurity policies is more important than ever before, it's important to understand the risks you face and whether you are doing enough to protect yourselves.
Like many core business functions, cybersecurity often requires a monetary investment and therefore needs space in your budget. The need for cybersecurity isn't going away anytime soon. In fact, cybersecurity is actually becoming more and more relevant for small businesses. That's why it's important to consider cybersecurity as a financial priority in 2021 and beyond. This article will discuss what you need to know about budgeting for cybersecurity, including the following:
- Why cybersecurity should be a part of your business and your budget
- The potential cost of a data breach and the resulting ROI of a cybersecurity program
- How to decide how much to spend on cybersecurity
- How to maximize your investment to best protect your company
Put the calculator down and your thinking cap on. Here are a few thoughts worth considering as you plan and budget for the year ahead.
Why budget for cybersecurity?
Cybersecurity is an area that affects businesses of all sizes, including small businesses. In fact, about half of all cyberattacks target small businesses, and 68% of small businesses have experienced a cyberattack in the last 12 months. In addition to simply protecting your company from the cost and disruption of a cyberattack, companies roll out cybersecurity programs for a variety of reasons, including:
- As a safety measure resulting from third-party cybersecurity risk assessments (or other vendor requirements), which are becoming more common as clauses in contracts.
- To comply with regulations such as GDPR, PCI, and HIPAA and national or state regulations that legally require companies to maintain cybersecurity standards.
- To compete for large projects or contracts.
Cybersecurity is a broad field, so defining specific goals and improvements can be helpful as you build your budget. We see small businesses investing in a few key areas to help with specific cybersecurity challenges, including:
- Risk assessment, business preparation and continuity, and incident response
- Training employees to be cyberdefenders, reducing the danger of phishing emails and other social engineering attempts
- Network and website vulnerability identification and management
- Regular scanning and testing, including dark web scanning and ethical hacking
- Investing in a cyber insurance policy to transfer the costs involved in the recovery of a security breach or other cyber-related threat.
Think your company doesn't have a seemingly obvious challenge or external motivator for prioritizing cybersecurity? Think again, and consider an assessment to see just where you stand. In today's world and modern criminal landscape, all companies are at risk of a damaging and disruptive cyberattack.
And it's not just your company that could be affected: Your employees, customers and any third parties you work with could see fallout from a cyberattack to your business. The only way to prevent an attack is to strengthen your understanding, posture and defenses – a process that merits investment for every small business.
5 Types of cyberattacks that threaten businesses
1. Denial of service (DoS) and distributed denial of service (DDoS) attacks
A DoS attack is designed to overwhelm a machine or network's resources so that the intended users cannot access the system. DoS attacks are accomplished by bombarding the specified target with a flood of traffic or information to crash the system.
Unlike other types of cyberattacks, DoS attacks have no direct benefit for the attacker. A DoS attack may be initiated by a competitor to disrupt your website to gain an advantage, or it may be the first stage of a greater cyberthreat.
A DDoS attack is the same thing as a DoS attack, but it is launched from a large number of host computers. The purpose of a DDoS attack is to overwhelm a company website or service beyond what the server can accommodate. The result is to overwhelm a system so that the website malfunctions.
There are different types of DoS and DDoS attacks, but the most common are:
- TCP SYN flooding: These attacks can be prevented by placing servers behind a firewall.
- Ping-of-death attacks: A ping-of-death attack can be prevented by placing a server behind a firewall.
- Teardrop attacks: This threat is the result of a Windows OS vulnerability that was common in older versions of Windows, but has received multiple patches over the years. Keep your operating system up to date to prevent teardrop attacks.
- Botnets: Botnets can be prevented by enabling RFC3704 filtering and black-hole filtering.
2. Phishing and spear-phishing attacks
Phishing attacks are a common cyberthreat in which an attacker sends emails that appear to be from trusted sources. The goal is to gain personal information from a wide number of users, such as usernames and passwords, or influence someone to take a specific action, such as download malware onto your machine.
A spear-phishing attack is very similar to a regular phishing attack, but instead of casting a wide net, attackers target individuals and take their time to research victims and create personal, relevant messages.
The best way to prevent phishing attacks within your company is to train your staff what to look for and how to spot risky emails and links.
3. Man-in-the-middle (MitM) attack
As the name implies, a MitM attack is when an attacker inserts themselves between a user and the services they interact with. There are different types of MitM attacks, namely session hijacking, IP spoofing and replay attacks.
As of today, there is no single method to prevent all types of MitM attacks, though encryption and digital certificates are used to help prevent an attacker from inserting themselves between a user and a server.
4. Drive-by download attack
This type of attack is used to spread malware far and wide. An attacker looks for insecure websites to hack and plant malicious code throughout the site. When a user visits one of these hacked websites, they may unintentionally install malicious code or be redirected to a site created by the attacker. Unlike other types of cyber threats, a drive-by download doesn't require the user to take any action, meaning they don't have to click a button or open an email to be infected.
The best way to prevent this type of attack is to train your staff to keep their internet browsers and operating systems up to date and avoid websites that are not secure.
5. Password attack
Obtaining a user's password is one of the oldest, most common and effective form of a cyberattack. Passwords can be obtained through many different means, such as watching someone type in their password, searching for unencrypted passwords on a network, using social engineering to reconstruct passwords, or simply guessing a correct password through brute-force or dictionary attacks.
To protect your company from password attacks, implement two-factor authentication policies, require your employees to use strong, unique passwords, and implement an account lockout policy that locks user accounts after several invalid password attempts.
How much does a data breach cost?
The costs stemming from a cyberattack can vary tremendously, but are inarguably significant. Recent studies have shown that the average cost of a data breach to small business can range from $120,000 to $1.24 million, and that's strictly limited to a small business market. Stepping outside the small business filter, IBM's 2019 Cost of a Data Breach Report recently found that the average cost of a data breach was $3.92 million, and that breaches cost smaller businesses more (relative to their size) than they cost large businesses.
The true cost of a data breach isn't always immediately known. Expenses can be spread out over time, with about one-third of the expenses becoming apparent the first year following the breach. There are a variety of costs associated with a data breach, some of which are obvious and repairable, others of which are more ambiguous.
These are some examples of potential direct costs:
- Monetary theft
- Remediation and system repair
- Regulatory and compliance fines
- Legal and public relations fees
- Notification, identity theft repair and credit monitoring for affected parties
- Increase in insurance premium
These are some potential indirect costs:
- Business disruption and downtime
- Loss of business or customers
- Loss of intellectual property
- Damage to company credibility, brand and reputation
The IBM report also showed that key cybersecurity steps, like incident response team and plan formation, encryption, employee training and cyberinsurance, all helped to reduce the cost of a breach. So, even if your company experiences an incident, cybersecurity can help mitigate the damage and reduce the cost. The concept of cyber resilience is gaining steam and is something that deserves understanding and attention. Given the potential expense and negative impact of a data breach on a small business, any budget you can dedicate toward improving your company's cybersecurity posture is money well spent.
How much should you spend on cybersecurity?
As with any component of business, there are a lot of factors that influence how you build a cybersecurity budget. Here are a few to consider:
- Your industry and company size
- Compliance and regulation mandates affecting your business
- The sensitivity of the data you collect, use and share
- Requests from company stakeholders or customers
The actual amount companies spend on cybersecurity is often tied to their IT budget, which helps account for company size and IT infrastructure. Estimates of what companies currently pay vary, ranging from an additional 5.6% to 20% of the company's total IT spend. For example, say a 40-person company pays $3,000 per month to an IT managed service provider to cover their IT needs. Their cybersecurity budget would range somewhere between $168 and $600 per month – a significant but attainable amount – which is well worth it, given the potential cost of a cyberattack.
That's not to say that you have to spend a lot of money all at once. If you haven't had a cybersecurity budget before, try working a small amount into your 2020 numbers. A little bit can go a long way; for a relatively small investment, you can take the important first step of a cybersecurity risk assessment, then begin chipping away at key improvements.
Your cybersecurity provider can often help you identify the highest-priority – and lowest-cost – items to tackle with your limited budget. From there, you can tailor your cybersecurity program and slowly grow your budget in the coming years to provide enhanced protection and help mitigate risks. Just make sure it's just that: an ongoing program, not a one-time project.
Small businesses often operate on a tight budget, and in some cases, the person building and approving the budget may not know the value of cybersecurity. If you're facing hesitation from leadership, stakeholders or the board of directors, performing a basic risk assessment can be a great way to show them where your company stands and how an investment could bolster protection. Leadership – whether the board, C-suite or company owner – has a responsibility to guide the company in the right direction, and that includes protecting the company from threats.
Cybersecurity is no longer a "nice to have" – it's a "need to have" for business, and it needs to be a part of your business's budget. However, it's important to note that cybersecurity protection isn't purely a function of money spent. A comprehensive cybersecurity program doesn't have to cost a lot of money, but it does require prioritization and commitment from leadership, IT and employees.
On the flip side, no matter how much money a company dedicates to strengthening its cybersecurity posture, there's no such thing as a guarantee of 100% protection. A company's best bet is to deploy a multifaceted, ongoing cybersecurity program using a combination of resources, testing, training, and time to help keep them cyber strong and to potentially mitigate costs in the case of an incident.
At some point in the not-too-distant future, cybersecurity will be a standing line item on all business's profit and loss sheet. Just like small businesses build a cost for their accounting software or alarm system into their finances, they need to start including cybersecurity as a standard expense and business priority. The cost of a comprehensive cybersecurity program is a small price to pay for the peace of mind you'll enjoy knowing your company is better protected.
Additional reporting by Andrew Rinaldi.