Most businesses now accept that they are likely to be a cyber-attack victim. Savvy businesses assess the risk and plan according to their perceived risk level. Your cybersecurity budget should be determined in relation to your risk assessment.
Some industries have a higher risk than others, due to the nature of their data and industry. These businesses need to plan for a larger cybersecurity budget, just as a business that has a higher physical security risk needs to plan for a larger budget that those businesses with a lower risk. No business should assume no budget is necessary.
Once you have determined a realistic risk level, you need to determine where your business is in terms of preparedness. If you need to update hardware, for instance, you need to budget for it. If you have an employee training program in place, you might not need as much budget as you would if it is your first year of in-depth staff training.
Think about your cybersecurity budget in terms of prevention, detection and response for your risk level.
Budget items for prevention of cybersecurity should include plans for training staff, acquisition or upgrading of technology, or annual vulnerability assessment.
Consider that activities your business needs to take to ensure it can detect a cyber-attack quickly. You may need to allocate funds to hire a cyber expert to perform a penetration test, to confirm your system is as well protected as you think. You may also need to allocate funds in case you need to hire a forensic specialist to track a known attack so you have proof for your insurance claim and legal lawsuits.
Response costs can include public relations, attorneys, forensic specialists as well as network replacement. Cyber insurance will cover some of these costs, so be sure to consider what your premium is and what is not covered by the policy you select.
What Businesses Can Do
• Contact your insurance agent for her insight on risk level for your industry. She may other statistics that can help you quantify the right risk level.
• Talk with your banker about trends he sees in risk coverage. Some banks are paying attention cybersecurity measures as they previous looked at the physical security measures for businesses seeking loans.
• Explore tools and resources available through your industry’s trade associations. Many groups now provide free or group pricing on cybersecurity services and tools.
• Budget wisely so you can continue your business after an attack. Don’t gamble with your business that you won’t be attacked. The odds are against you. If you end the year without having to use all the budget, you have additional profit.
Like our blogs on cybersecurity? What to receive them in your feed? Join us on Twitter and Facebook!