Budget season is upon many businesses. Savvy small businesses are thinking about cyber security expenses as well as payroll and marketing. You know that it is likely you will be a hacker’s target this next year. The numbers are trending up for small businesses, as criminals find many easy targets to make quick money.
Depending on how complex your budgeting process is, you may want to think about where to budget for cyber security. The components of a strong cyber security plan impact multiple budget categories:
- IT: hardware, software, vulnerability assessments, penetration testing and technical training
- Training: technical training, certifications, and conferences
- HR: policies and procedures development and employee training
- Insurance: data breach, recovery and business continuity
- Legal: data breach consequences, law enforcement interface
How much to budget
It is estimated that large companies invest about 15% of their IT budget in cyber security initiatives. Most companies are spending significantly more today than they did just a year ago.
You might want to calculate the amount to spend based on the number of employees you have or your projected revenue. Some businesses forecast cyber security expenses based on risk assessment. The higher your risk potential, the more you should budget.
Think through what the risks are and then what the implications would be of a minor intrusion or a major data theft and business stoppage.
If you don‘t have policies and procedures, you may need to hire a contractor or a consulting firm to prepare these. A simple basic set of policies covering Bring Your Own Device (BYOD), passwords, company data confidentiality and similar topics may be enough for this budget year. When you have policies and procedures in place, you have a stronger position if you have to take administrative or even legal action on employee policy breaches.
You should include funds to have an outside company perform a vulnerability assessment. The cyber security specialist will review your current security measures and identify areas that you should consider for increased security actions. A vulnerability assessment will not identify if you have a hacker inside your network, it will tell you where the likely entry points are.
Ask your IT lead to research some industry standards. You can adjust your budget based on the size of your business and risks.
Ask your insurance agent what is included in your general policy (usually not cyber security specific incidents) and ask for a quote. Several major insurance companies now offer a variety of plans.
The Federal Communications Commission (FCC) provides a good resource for developing a cyber security plan, including budget planning.