Cybersecurity Awareness: How to Plan Your Budget
Investing in cybersecurity is now just a cost of doing business in the digital world and belongs on your balance sheet along with every other operating expense you have. If you don’t make this investment, just look at the layers of risk you introduce into your business:
- Failing risk assessments with potential business partners
- Losing out on certain contracts (e.g., working with governmental agencies)
- Facing fines for non-compliance
- Lacking the qualifications for cybersecurity insurance
How to benchmark and forecast your cybersecurity budget
Before we dig in, we want to share an important caveat. Each company is different and must consider a number of variables when deciding how much to invest in cybersecurity measures. That’s why we prefer looking at your cybersecurity costs as a percent of your general IT budget and recommend allocating 20% or less of your IT budget to cybersecurity as a start.
What line items to include in your cybersecurity budget
To help build your budget, the following is a list of the basic cybersecurity measures you should invest in, what the investment includes, and some high-level notes on price.
An asset inventory gives you an overview of all your devices, software, and data. It helps determine the value of your data (and tracks what you have and how to protect it if you have an incident). From a cost perspective, tracking your inventory can be as simple as an Excel spreadsheet; however, for companies of more than 10 devices, we recommend partnering with SUCCESS and implementing Network Watch Secure. Tools like this scan your network for new devices and update your inventory automatically. Pricing is typically per user per month.
Multi-factor authentication (MFA) requires users to verify their identity more than once before accessing certain data. While it sounds simple, experts like Microsoft estimate that this measure can stop 99% of certain types of phishing attacks. MFA tools also centralize your identity management and reduce the number of passwords to remember, making it easier to follow good password policies. Pricing is usually a fixed cost per user per month.
Cyber insurance is a separate business policy protecting companies from cyber incidents like data breaches, ransomware, and phishing. This budget line item is critical because simple clauses in traditional insurance don’t offer enough protection. The cost of policies varies widely based on factors like state, type of business, revenue size, amount, and data type.
Related: Read our Comprehensive Guide to Cyber Insurance
The cost of helping users learn about and adopt robust cybersecurity protocols is often overlooked. Cybersecurity frameworks (see next item) help define the type of training you should complete, and vendors like SUCCESS can confirm whether you’re compliant. Even better, you’ll have training records demonstrating your compliance if you’re audited. The cost of user training is typically a cost per employee per year.
A cybersecurity framework guides a company’s cybersecurity journey through a series of proven industry best practices. There are several options, but we recommend using the CIS Controls framework. It lays out the most critical cybersecurity steps you should take and prioritizes them. The framework itself is free; however, most companies partner with a vendor like SUCCESS to assess their performance against the framework standards.
Next-level strategies like SIEM
Once you have the basics covered, it’s time to assess whether next-level strategies like SIEM could shore up your efforts. In the simplest terms, SIEM combines security information and event management into one system. Your log files are sent to a device that monitors everything for you and sends alerts for potential issues. Pricing is based on a cost per user per month.
When to revisit your cybersecurity budget
Given how fast things move in the cybersecurity space, we recommend you revisit your budget quarterly and whenever you:
- Implement a significant change within your network (e.g., new machines or software)
- Connect new machinery to the network (e.g., new manufacturing equipment)
- Bring new vendors into your network
Need a partner?
Feeling overwhelmed by where and what to invest? You don’t have to tackle this work alone. At SUCCESS Computer Consulting, our in-house cybersecurity experts can partner with you to assess your risk tolerances and build your cybersecurity roadmap. Contact us to get started.