Contributed by our Cyber Essentials partner C3iA Solutions Ltd.
The financial stresses associated with the cost of living crisis and rising inflation is having a significant impact on many businesses. Additionally, cyber-attacks have also risen with 39% of businesses reported to have experienced a cyber-attack in the past 12 months. The impact caused by a cyber-attack can have serious implications for an organisation including loss of critical data or lost business due to reputational damage.
Should UK businesses consider cutting costs across cyber security services to help with current financial pressure?
Whilst the answer for many businesses will be a simple, Yes, the concern is that organisations take these measures without basing them on a credible risk assessment or with an understanding of their actual threats and vulnerabilities. This may prove to be more costly in the longer term run and potentially result in your business spending more money whilst in a reactive position, following a cyber-attack, rather than one of proactivity by having appropriate and cost-effective cyber defensives already in place.
Understanding your risks
When was the last time you conducted a risk assessment that was appropriate to your business functions and critical assets? Vendors will try to convince you that their piece of security hardware will solve all your cyber problems and whilst many can provide a great service or perform a valuable function, all too often, the hardware in question does not address your priority risk or is not configured or managed appropriately. If your biggest risk is local crime and burglary, then a £50,000 firewall will not help mitigate this risk.
Education
The costs associated with a cyber-attack were reported to be £3,080 for micro/small businesses and £19,400 for medium/large businesses. 83% of attacks reported were phishing attacks where an unsuspecting employee clicked a link sent via an email resulting in a data breach. Human error is reported to be the biggest cause of data breaches or cyber-attacks and is typically due to a lack of education or training i.e. the ability to configure that shiny new firewall correctly or know when to patch and update it. In contrast, cyber awareness training requires a lower overall investment in terms of cost and can provide staff with the required knowledge and skills to help recognise and respond to threats appropriately.
Cyber Response Plan
Imagine your organisation has been involved in a cyber-attack. The attackers have gained access to your internal network and locked down all critical systems whilst demanding you pay a ransom. What do you do…? In this scenario, a cyber response plan (CRP) may help you to deal effectively with the threat. This can be achieved using tabletop exercises to simulate different cyber-attacks with key stakeholders within the organisation given specific roles to prevent further damage and ensure business continuity. Overall, organizations with a CRP in place have been shown to have a lower data breach cost and could potentially save thousands of pounds in data breach costs or loss of revenue as you try and recover your business critical data.
So, before you consider reducing your cyber security budget or even spending more money on the next best piece of security hardware, ensure that you understand where your risks are and what cyber security controls are the most appropriate way of addressing them. A risk managed approach to your cyber security should save you money, time and effort and allow the business to make informed and cost effective decisions.