How can I justify my cyber security budget?

Let’s be clear, having a secure and resilient IT system for your business is not optional. Downtime will cost you in several ways. And a serious cyber breach can cost you your reputation, potential fines from the ICO (Information Commissioner’s Office) and ultimately, could sink your company.

Not convinced? Well, let’s have a rapid-fire maths Q&A.

What is your annual wages bill? Got that number? OK, divide that by 52.

What is the value of your annual income from the services and products you provide? Divide that by 52.

What is the cost of the annual online services and systems needed to run your business? Divide that 52.

Now, add those three numbers together. This figure is what you kiss goodbye to if you have a cyber-attack which floors your systems for one week.

Think ransomware attack, broken server or you pulling the plug because your system has been taken hostage by some malicious virus breeding malware.

(Back of envelope calculation for ITGUYS is well into five figures).

Then add the requirement to report the breach to ICO and their subsequent audit which could result in a fine that would mean the business cannot continue trading.

Looking at it this way, sensibly spending money now will get passed the regular issue I see with businesses, namely: companies are only prepared to spend money on cyber-security AFTER they have been hacked.

So, apart from your IT budget covering the cost of hardware and software, depreciation and factoring in business growth (new people, new kit), how can we highlight the key elements to your cyber-security budget so that you are sensibly and effectively protecting yourself?

I have listed seven key aspects below with some elaboration.

Information security policy. From the top down, every business needs a set of policies that describe how systems are protected, what security is in place, how it is monitored/reviewed and who is responsible for it. If no one is accountable for it, the chances of it being done are low.

User awareness training. Repeatedly, we encounter unintentional security breaches due to employees not understating the implications of their actions. Common sense or not, assuming that all your team get IT security is a dangerous game.

Perimeter security (firewalls /intrusion detection). Whilst most routers these days have a firewall of sorts, they can be very basic, offer no reporting/auditing and can be easily hacked by a determined bad guy. Yes, a good firewall can cost you money, but I refer back to the implications above of not protecting your core assets.

Data loss prevention/backup. Hopefully, you’re aware of need for robust backups – but there is a wide range of backup levels – and these need to be in line with the requirements your business has for data recovery and time scales.

Cyber insurance. If the worst happens, be prepared. It may not be a legal requirement but insuring yourself against something that could threaten your business’s very existence is something you should seriously consider.

External and internal security testing. Depending on your businesses size and how it does businesses with others, this may be part of your supply-chain information assurance requirements. Externally, this involves an external ethical hacking company trying to break into your system and tells you where the holes are, allowing you to plug them before they are discovered. Internally, running an automated vulnerability scanner can find gaps or devices that should have been scanned (e.g. for an operating system update) but have been missed. Remember, it can only take one unsecured device to allow malware in.

Annual review (minimum). Things change, processes get forgotten. A regular review will deal with these changes and also check that any changes or new services or installations are covered adequately.