- Jun 25, 2020
- 4 min read
How can you justify investing in risk reduction when budgets are tight?
No matter what industry you work in, it’s a safe bet that 2020 has seen your budgets tightened and your IT staff under significant strain. With the emergence of Covid-19, the majority of us were suddenly thrown into an experiment in remote working and as the disruption continues, there has been a widespread effort for businesses to reduce expenses in order to weather the next few months of uncertainty.
This has been complicated further by the rise in volume of cyberattacks during the pandemic, as criminals seek to take advantage of the lower cybersecurity and data protection standards associated with home working. Unfortunately, Forrester has forecasted that security teams will have to revise their budgets and potentially reduce head count to survive the economic downturn associated with the pandemic. So how can you justify making the security investments you need to protect your company from the risk associated with remote working?
Context is key
As we’ve all embraced a new way of working designed to protect employees’ health during the pandemic, it’s critical to revisit the overall picture of risk for your organisation to reflect the new operating model. Although previous business continuity and security investments might have been made to protect against physical disruption of office locations e.g. fire, power outages, your risk appetite now needs to reprioritise cyber security in the context of all the other risks the business faces.
It can be helpful to start by identifying your worst-case cyber scenario for 2020, whether that’s a data breach of customer details used for online transactions through your website, a phishing campaign and invoice fraud attack targeting VIPs, or ransomware locking your employees out of their corporate devices. If your existing incident response plan has not been updated to account for this worst-case scenario and the new dispersed workforce, make that your priority.
Don’t hesitate to invite colleagues in Legal and Marketing roles to weigh in for this exercise, as they will add additional perspective around regulatory issues and brand reputation repercussions of a successful cyberattack. Once the risk of a cybersecurity failure has been placed in this context, it will much easier for you to communicate both the value of a new security solution purchase, as well as the risk of doing nothing.
Recognise the threats directly associated with remote working
Although we are now a few months into the ‘new normal’ of remote working, many businesses still have work to do when it comes to securing home workers. A recent study by IBM found that while 53% of home workers are using their own devices to do their jobs, 61% have still not been given new technology to secure those machines. Ideally, businesses should be investing in solutions that monitor for exposed employee access credentials and breached data, some of the biggest risks associated with remote working.
It’s also important to remember the risks associated with third parties – after all if you’re working from home, your supply chain is too! If your current threat intelligence tools do not currently give you visibility into your third parties’ security posture, then there is definitely a case to made for investing in that capability, particularly at a time when the need to reduce your attack surface has never been greater.
Automation is now non-negotiable
IT teams have performed miracles to rapidly shift their workforce to a remote working environment, but of course such a sudden change without time to prepare employees has resulted in an increased need for technical support. The impact of this has been significant on security teams, International Information System Security Certification Consortium research found that 47% of cybersecurity roles have been reassigned to general IT support due to the increase in remote working during the pandemic.
With IT resource now stretched to the limit, your security solutions now need to support you to rapidly identify and triage your biggest digital risks so vulnerabilities (whether internal or via third parties) can be mitigated before they’re exploited by attackers. Given the sheer volume of targeted cyberattacks currently being seen across all industries, this is not possible or sustainable to achieve using manual threat monitoring methods.
To succeed in this new environment, IT teams must have access to solutions that will aggregate risk intelligence and score it for a user-friendly experience that boosts productivity and rate of risk reduction. It’s important to note that some of these tools cast such a wide threat detection net that their users end up buried in notifications and lose all benefits associate with automation, so make sure you select a solution that allows you to tailor your notifications and focus only on relevant risks.
Work with vendors who understand ROI
Any solution purchased in the next few months will need to provide results that can be tracked over time. These metrics will be essential in helping you to position a new investment as a strategic purchase that aligns with the wider organisation’s goals, rather than a one-off curiosity that is just ‘nice to have’.
A recent PwC survey of CFO found that capital expenditures are most likely to be targeted for budget cuts in the future, with 82% of respondents deferring or cancelling planned CapEx investments due to Covid-19. To help support your proposed tech investment, make sure the provider offers a rolling SaaS billing option so you can classify the spend as a scalable operating expense rather than a capital expenditure that requires a lengthier approval process in the current environment.
If you follow the steps set out in this post, you’ll find it much easier to communicate the need for new security investments and the cost associated with leaving vulnerabilities open. At Darkbeam, we’re here to help you make the most of your budget, with solutions that automate your threat intelligence processes and easily integrate into existing investments without the need for lengthy implementation projects.
If you’d like to discover the solution that will help you minimise your attack surface so you can stop worrying and focus resource on the mitigation actions that matter, get in touch today.