Think back – if you can remember those halcyon days – to last November, before the COVID-19 pandemic had taken hold in the West. Like a lot of organizations, you may have taken the opportunity, during a quiet holiday period, to sketch out your cybersecurity budget for 2020. Whatever you decided your company’s IT security budget should be, you’ve probably overrun it.
That’s nothing to be embarrassed about, of course. No-one had “deal with a global pandemic” as a line item in their business plan for 2021.
As organizations start to make their cybersecurity budgets for 2021, though, it’s immediately obvious that this year will bring new and unexpected costs. The global move to work-from-home (WFH) over the past year has left many organizations struggling to protect newly remote staff from a wider and more dynamic threat landscape. In this article, we’ll look at several key (but perhaps unexpected) items that should be in your cybersecurity budget for the coming year.
Threat Assessment
Every cybersecurity budget should be based, ultimately, on the level and types of threats that you face. The COVID-19 pandemic has led to a noticeable uptick in cybercrime, while simultaneously forcing employees to work from home, where they are more vulnerable. The bottom line is, therefore, that cybersecurity will cost a lot more in the coming year than it did in the last, and possibly more than ever before.
This headline notwithstanding, it's as important as ever to conduct a thorough threat analysis for your organization - following best practice guidelines for this - before deciding which of the following budget items applies to you, and how much you should spend on them. This threat assessment will also help to justify your 2021 cybersecurity budget, should management question why it is so much higher than previous years.
Staff and Training Costs
Back before the pandemic, plenty of companies were in the process of moving to remote work. One of the driving forces behind this shift was the perception that WFH staff cost less than traditional staffing models. It turns out that is not the case, at least when it comes to cybersecurity.
This is because staff members who work from home require significant extra training in order to keep themselves and company digital assets safe. Given the widespread skills shortage that still characterizes the cybersecurity world, this is likely to apply to all teams. Even worse – if staff are not trained adequately, you will have to pay to clean up after their mistakes, which will cost even more.
Incident Response
Second, you should consider your risk tolerance, make a reasonable estimate of how many incidents you are likely to have to respond to this year, and how much this will cost. In many organizations, these costs are overlooked, because cybersecurity consultants still make the mistake of thinking that spending enough on prevention will allow them to cut incident response costs to zero. Don't make that mistake. It just doesn’t work like that.
Resource Replacement and Upgrade
You should also consider replacing and upgrading your hardware and software resources in response to the shift to WFH. Older laptops with out-of-date security software might be (barely) secure enough to protect your employees and data if they stay behind your corporate firewall, but once they leave the office they are exposed to a much higher level of risk on the open internet.
For this reason, now might be the time to replace aging hardware with newer machines that incorporate biometrics, or to install hardware encryption on older machines. Equally, 2021 is a good time to take a second look at any free but fairly insecure software you might be using. As easy as Google makes it to use their products, there’s a good chance that considering the alternatives will allow you to reduce your chances of a cybersecurity incident. Here’s just one example of the kind of trouble you face with the search engine behemoth.
Consultants
This might seem like a bad time to spend thousands of dollars on consultants, but red-hat testing is a great way of understanding the threats you face and understanding how to mitigate them. Research shows that internal battles still hold SOC back in many firms, and a successful pen test is a great way to get everybody focused on the same goal.
Insurance
You've probably noticed that your cybersecurity insurance premiums have risen in the last year, and there's a good reason for that. Insurance companies have taken a look at the statistics and decided that remote employees present a huge risk. They are, accordingly, charging more to insure them, and you should make sure that your cybersecurity budget reflects this.
If, on the other hand, you do not currently have cybersecurity insurance at all, you should seriously consider getting it. While an extra expense might seem like a heavy burden to bear at the moment, the savings in the event of a successful attack far outweigh this repeating, predictable cost.
Security-as-a-Service
Finally, and particularly if the number of factors above seems like it will increase your budget to unmanageable levels in 2021, it might be time to consider outside help. While there have been third-party security solutions on the market for decades, some have been developed into full-spectrum Security-as-a-Service platforms.
These platforms promise to take care of your cybersecurity in its entirety, leaving you free to focus on more important things. Whether this is true in practice depends on your risk level, type of business, and other factors. But it is certainly worth looking into whether this type of arrangement is a good fit for your business.
Expect the Unexpected
While it might not feel like it right now, the kind of root-and-branch assessment of cybersecurity budgets necessitated by the pandemic might, overall, be a positive development. Many firms haven't looked at their budgets and the assumptions they are based on for many years. This review has been long overdue.
Even if you find you are already well-prepared for the coming year, the process of looking afresh at your budget can be instructive. The ability to assess risk and budget accordingly is one of the fastest growing cybersecurity skills and developing expertise in this area could ultimately provide a career boost.