Today, organizations are losing up to $3.92 million in every data breach incidence. This translates to a 12% increase since the year 2014. What such statistics indicate is that cybercrime has been increasing, largely perpetuated by an emerging breed of hackers. They are motivated by new technological advances, which they use to innovate stronger, more resilient, and more sophisticated attacks. More so, businesses are leveraging the benefits of digitizing their services and operations. In a recent study done by Brother International Corporation, it revealed an 18% increase in investments spent on small and medium-sized technology. A separate survey also showed that 81% of sampled businesses agreed that IT plays a key strategic role in growing their businesses.
However, the use of business IT brings a whole set of cybersecurity and compliance risks. Business digitization means using sensitive information, such as customer personal information, to render services. As of 2019, it was estimated that the world generates at least 2.5 quintillion bytes of data every day. Business data makes up a significant chunk, and this provides hackers with increased incentives for breaching companies. This, perhaps, explains why businesses are the most targeted by cyber adversaries. 43% of the total cyber-attacks target small businesses, while 64% and 62% of companies have been victims of web-based attacks, and social engineering or phishing attacks, respectively. This indicates that every business should heavily invest in cyber defenses. Just like any investment, it is necessary to make sound cybersecurity investment decisions to ensure maximum ROI (Return on Investments). Here are the top trends that should inform cybersecurity spending in 2020.
Approaches to consider when setting up cybersecurity budgets
Since the cyber threat environment is highly dynamic and keeps changing, allocating sufficient budgets to cybersecurity is of utmost importance. According to recent standards, most organizations allocate 10% of IT budgets to cybersecurity. However, such a small percentage may not be enough to completely secure the IT environment, invest in awareness and security training, acquire new cybersecurity solutions, or ensure full compliance with mandatory regulations. As such, businesses should focus on the following three approaches when setting up cybersecurity budgets for 2020.
Being proactive rather than reactive
Cybersecurity budgets should be a priority for all businesses. Yet, many organizations use a reactive approach, which in most cases, does not produce the desired results. For example, an adversary breaches a network, and the company suddenly needs to implement new firewalls, intrusion detection and prevention systems, antiviruses, and so on. While reactive or ad-hoc approaches might be efficient for some when budgeting for information security, cash-sensitive businesses cannot rely on the method to get critical cybersecurity projects approved. Besides, the main objective of cybersecurity budgets is to keep out adversaries to prevent cyber incidences from happening. It is, hence, sensible to edge away from reactive budgeting approaches to a more proactive one.
A proactive cybersecurity budget allocation approach means understanding and embracing the mindset of a hacker and use this knowledge to build strong defenses. This will require the in-house security teams to employ all their expertise at detecting all exploitable opportunities which hackers can use to intrude on a corporate network. The assessment results will guide the deployment of appropriate mitigation measures, thus remaining protected at all times. Small businesses that lack the resources to conduct their own risk assessments should consider outsourcing vulnerability assessments to red and blue pen testers.
Benchmark organizations with effective cybersecurity budgeting
One essential question many companies are unable to answer when planning for cybersecurity budgets is, how is the enterprise performing in regards to detecting, preventing, and responding to security incidents? If unable to answer it, then a business should consider using a benchmarked approach to set and allocate cybersecurity investments and budgets. The approach involves comparing the business’s operating performance with that of other peers, a recognized framework, a group of sampled companies, or a previously conducted study. Observing the best security practices of different security teams can enable a company to quantify the results and prepare an appropriate cybersecurity budget. The benchmarking should be in terms of security investment levels, key performance indicators, and organizational cybersecurity structure.
Adopt a risk-based cybersecurity approach when creating cybersecurity budgets
Setting cybersecurity budgets using risk-based approaches can help inform the level of investments. The approach requires the information security team first share risk categories affecting all areas with the leadership management team. It is more effective in organizations with mature security procedures. This is because they can categorize risks in multiple domains, and allocate sufficient budgets based on the costs involved in mitigating the risks. One of the most effective risk assessment and management framework is the NIST (National Institute of Standards and Technology) Cybersecurity Framework. It consists of five information security lifecycle domains, which are identify, detect, protect, respond, and recover.
Using the NIST CSF approach to identify and categorize risks informs the mitigation measures according to the degree of risk levels. As such, a business can identify risks that require a higher mitigation priority. This, in turn, informs the security investment decisions by first prioritizing the most impactful risks. Although this method is similar to the benchmarking approach, organizations can realize noticeable improvements in matters of security operations.
Cybersecurity trends should inform budgeting decisions
Before setting up 2020 cybersecurity budget allocations, it is critical for organizations to keep an eye on how the cybersecurity landscape might shift compared to previous years. In this case, there are three critical cybersecurity trends companies should prepare to address in budget preparations. They are as discussed below.
Investors/clients will prioritize organizational cyber risks in their analysis
Cybersecurity will play a leading role in matters relating to investment decisions. With companies such as Equifax suffering profit and reputational losses due to data breach incidents, investors are more cautious when considering investment options. They are more hesitant to invest in enterprises with questionable risk management procedures. This is understandable given no one wants to entrust his personal information in risky environments. For these reasons, security teams should focus investments on risk identification and management. Having a strong security posture should no longer only involve preventing breaches, but also consist of sufficient risk management controls. Stronger risk management procedures and the implementation of safeguards and controls for protecting sensitive information should be at the center of all cybersecurity budget decisions.
Attackers might focus on using brute-force attack techniques
In 2020, attackers might focus less on exploiting zero-day vulnerabilities, and instead prefer brute-force attack methods. Such techniques include gaining unauthorized network access through unpatched systems or insecure third parties. Actually, this trend has been identified in different attacks. For instance, APT33 utilizes almost exclusive password spraying and brute-force attacks when attempting to compromise critical infrastructure. Also, examples of successful use cases include companies breached using Shapeshifter and Shamoon, which are the main APT33 go-to deployments. Moreover, business email compromise attacks have been on the rise in 2019, with multimillion companies such as Nikkei losing up to $29 million to such ploys. The examples notwithstanding, NSA reports show that it rarely responds to cyber incidences involving zero-day exploitation, as opposed to incidents caused by unpatched software or hardware.
Countering these trends may require cybersecurity plans and procedures to focus on security basics. This is by building a strong foundation. Examples of such plans are continuously monitoring critical systems to identify new vulnerabilities and threats, and constantly evaluate the implemented security standards, including those of third parties and supply chain partners. Focusing cybersecurity investments on employee training and awareness creation can also enable a business to strengthen its security posture. More often than not, the human element contributes the highest towards weak security links.
Cyber insurance will be more integral to cybersecurity plans
From BEC to ransomware attacks, the costs incurred in responding to attacks and breaches are rising by the day. Most businesses, especially SMEs, are incapacitated in incident response due to limited resources and lack of required expertise. Most are unable to respond to a wide variety of attacks, including those delivered through third, fourth, or fifth partners. Although most cyber insurance covers don’t pay for finances lost through attacks, they provide great assistance in financing legal fees needed for investigations. Every organization can be attacked in spite of the implemented defenses. The question is, how well is it prepared to recover from the attack and ensure business continuity? Through cyber insurance claims, a breached company can ensure quick investigations and remediation.
Furthermore, more businesses are acquiring various cyber insurance policies. Insurance companies will, therefore, become more familiarized with cyber attack nuances, and begin providing new coverage plans. They may even include plans for paying losses and damages resulting from attacks. As 2020 progresses, organizations need to understand and acquire available insurance plans, to effectively budget for what the policies don’t cover. Reevaluating current insurance plans can better inform the best cybersecurity budget plans.
Your 2020 cybersecurity budget should focus on the following things
Awareness training for employees
In research done by Osterman, investing in cybersecurity education for employees has the highest ROI. Creating awareness on how to enhance resiliency towards security risks facing digital assets can deter a large percentage of attempted breaches. In most instances, hackers prefer exploiting users since they are regarded to be the weakest link in cybersecurity. This is by using undetectable methods through software or hardware, or by employing social engineering tactics like phishing, pretexting, and smishing. These are only preventable through educational awareness and training since technical measures have little success.
There are various budget-friendly methods companies can use to create awareness. These include using posters, emails reminding employees tip of the day, and contests. Cost-effective training strategies include using and fun educational videos, short computer-based courses, and formal training classes. Organizations can provide funds to be used in rewarding employees who demonstrate strong cybersecurity knowledge. This can motivate other members to be more serious with the training, thus creating a cyber aware culture.
This might seem like the obvious, but observing strict patching policies can greatly strengthen a company’s cybersecurity posture. Inhouse IT teams should prioritize hardware and software patching. Yet, most managers overlook it, preferring to dedicate resources in other areas. Inadequate patching has been responsible for some of the largest breaches, including the 2017 Equifax data breach that compromised data of more than 140 million individuals.
It, therefore, goes without saying patching procedures should be allocated considerable finances. This is to ensure patch management is one of the focal points in weekly, if not daily, cybersecurity routines. Patching ensures hardware or software assets contain the latest updates and security to deny hackers exploitable vulnerabilities. If possible, investing in automated patching systems can ensure prompt update download and installation as soon as they become available. This not only enhances organizational security but facilitates compliance with various regulations.
Outsource to cybersecurity firms
Sometimes, the scope needed to properly secure a company can take a toll on financial resources. Requirements like hiring in-house security personnel who should be available 24/7 is infeasible unless the company in question is a Fortune 500. But small businesses are the majority, and limited resources may prevent them from maintaining their own cybersecurity operations. Managed service providers provide a lot of professional services that are highly beneficial to optimizing security. These include 24/7 monitoring, access to specialized experts, and access to the latest security tools and policies. Outsourcing security is affordable since most MSPs provide affordable subscriptions, which can be paid annually or monthly.
Additionally, outsourcing security services like penetration testing are budget-friendly processes that can harden implemented defenses. Identifying risks and vulnerabilities beforehand ensures the implementation of strong solutions to prevent exploitation. Since pen testing can be done once or twice a year, companies can include them in budgetary allocations.
Protecting the endpoints is an effective strategy a business can use to secure its networks and data. Endpoints are the means a hacker or user can gain network and system access. These include mobile devices, smartphones, laptops, and USB ports on computers. There are numerous endpoints in any given company, such that achieving 100% security is near to impossible. Despite this, organizations should strive to invest in endpoint security. This might seem like an enormous investment, but there are security firms that offer managed endpoint security and response. They normally install software that accesses and monitors all endpoints for suspicious activities. Automated versions can detect anomalous activities and initiate appropriate responses with minimal help from human operators.
Several trends will impact your cybersecurity spending
Every year, new trends in the cybersecurity landscape emerge. Most have a significant impact on a company’s cybersecurity spending. The following ten trends might inform how you plan for cybersecurity budgets in 2020.
Software lagging behind security services
Forrester dubbed 2019 as the year of security services. In that year alone, spending on cybersecurity services, which is a relatively new development, increased by four times. These outpaced investments made in other areas. According to a prediction by Gartner analysts, security services might account for at least 50% of the set cybersecurity budgets. More specifically, Gartner estimates that spending on security services, infrastructure protection, and network security equipment will amount to $64.2 billion, $15.3 billion, and $13.2 billion, respectively.
Increasing privacy concerns
New privacy laws and regulations have been a cause for privacy concerns in previous years. 2020 will not be an exception, especially with the expected 5G network rollout. Privacy breaches are also causing most consumers to continuously ponder over the privacy and security of their data. As security services spending increases, companies must also consider investing in privacy protection. Cybersecurity budgets should focus on enhancing the functionalities of identity and access management (IAM) systems, data loss prevention (DLP) strategies, and identity governance and administration (IGA).
CISOs want increased visibility, analytics, and alignment
An emerging trend is Chief Information Security Officers (CISOs) spending more on cybersecurity with the management’s approval. Setting up larger cybersecurity budgets is essential to addressing industry needs, business changes, and security risks. Due to adversaries’ ability to develop complex attack methods, CISOs are determined to create a well-integrated cybersecurity ecosystem. This is to enable threat identification in real-time and to develop a more strategic cybersecurity culture. Forbes predicts that CISOs might prioritize the following in budget spending:
Develop security event analytics to replace cross-platform visibility
Use orchestration and automation to align security operations
Acquire user behavior analytics (UBA) to address insider threats
Compliance might be the key driver for cybersecurity spending
CISOs are today closer to the C-suite (executive level employees) than at any other time. A PwC study showed that most CEOs agree cyber threats are a huge threat and impediment to a company’s growth prospects. CEOs are more convinced that implementing more on compliance will enhance cybersecurity postures. CISOs, on the other hand, are concerned spending more on compliance at the expense of investing in mitigating digital business risks might be ill-informed. This means that business decision-makers must ensure to set aside adequate budgets for managing compliance and managing digital risks.
Cybersecurity investments accelerates digital transformation
CISOs need to maintain effective collaboration with C-suite to ensure the better understand the technical aspect of cybersecurity. The aim of any technology-oriented company is to ensure the achievement of a secure digital transformation. Emerging technologies like 5G networks might result in automated business functions, which will transform how businesses operate. In particular, a CIO study showed that minimizing time and resource wastage, enhancing time efficiency, and reducing business friction are the key objectives of a digital transformation process. Ensuring secure digital transformation will require cybersecurity budgets to key enablers such as DevSecOps.
Evolving ways of measuring cybersecurity ROI
Cybersecurity leaders are determining a product’s investment value by recognizing its ability to reduce security risks, and at the same time, enable an organization to remain compliant. These are the top metrics for most, and they might prolong into 2020. Inviting third parties to conduct audits on available tools and products might validate if they are efficient for security investment.
Investing in a security culture is a key objective
People or process failure account for the majority of successful cyber-attacks. Sparking a conversation concerning cybersecurity budgets and risks can assist a business work toward achieving a strong security culture with shared risk goals. As such, executives should be able to justify cybersecurity spending by addressing existing shortcomings within a security ecosystem. To ensure the success of cross-functional budget conversations, topics such as appetite for risk, where security investments will result in the most significant impacts, and how to ensure existing investments yield desired values should guide the talk.
Cybersecurity budget benchmarks are not easy
Although benchmarking the cybersecurity spending of other organizations is one of the recommended approaches towards setting up budgets, it is quite challenging. This due to factors such as company size and type of industry. A BCG report indicated that cybersecurity spending in some of the largest organizations variated by 300%. When benchmarking, therefore, it is vital to understand that strong cybersecurity should consider factors such as regulatory compliance, facilities, levels of security risks to IT assets, among others.
Artificial intelligence will take center stage
Organizations should brace themselves for an upsurge in AI investments. 5G technologies will enable adversaries to develop intelligent malware that cannot be detected by traditional defenses. AI-enabled cyber defenses will be crucial to protecting organizational networks and IT assets. Hence, cybersecurity budgets should take into consideration the potential acquisition of new security technologies and policies.
Change is a constant factor in organizational cybersecurity. This might be due to the introduction of new business processes and technologies. Planning for change beforehand can enable businesses to maintain adequate security. When preparing cybersecurity budgets, a special fund for catering security during change should be set aside. This is to ensure that the change does not result in downgraded security.