The consumer world has woken up to the fact that living life online comes with considerable risk. The identity theft protection industry has grown at an unprecedented rate; it was worth over $11 billion in 2021 and is expected to surge to more than $27 billion by 2029.
Consumers are internalizing the rules of basic cybersecurity: They’ve learned to create strong passwords and change them regularly, to not click on new friend requests from current friends on Facebook, and are less likely to give up their social security numbers to anyone who asks. Let’s just say they’ve acquired a healthy case of paranoia.
But as an IT leader, you face challenges on a scale consumers will never know. Chances are you’re spending more on cybersecurity than ever before. A survey by Gartner revealed that the amount businesses spend on cybersecurity increased by 12.4% between 2020 and 2021. Fatter budgets are predicted in the coming years, so how much should you be spending on cybersecurity? What are the most serious threats? Nobody has a crystal ball, of course. And cybercrooks are getting more inventive all the time. But let’s take a look at what experts are saying and review some of your options.
How much should you spend on cybersecurity?
There’s no magic number. According to Deloitte, businesses spend between 6% and 14% of their total revenue on cybersecurity. Certain industry sectors, like financial service providers, spend more than others. But few companies relish doing it.
So you may want to reframe the cost of protecting the business from cyber threats. Many stakeholders persist in seeing cybersecurity as a cost center, plain and simple. A necessary one, for sure, but still an expense they wish they weren’t burdened with. Instead, you should be looking at your cybersecurity expenses as a revenue generator instead.
Focus on what customers care about most
More than ever, customers expect—or even demand—businesses to take data security seriously. You may not realize it, but they come into most business transactions, including a visit to your website, from a position of mistrust. A study by PWC found that organizations underestimate how wary customers are of doing business with them. While 87% of respondents believed that customers placed a great deal of trust in their companies, the survey revealed that only about 30% actually do. That’s a dangerous gap.
Trust is the lynchpin of customer relationships. It became even more important with the onset of the global pandemic when more of life’s business was conducted online. Building and retaining your customer base depends on them believing you have their best interest at heart.
Trust takes a long time to build and should be the aim of every customer interaction. But it’s also fragile. It can be destroyed in an instant. Think of cybersecurity as part of your brand strategy. It contributes to both your top and bottom lines. And bear in mind that security breaches don’t just result in a loss of customer trust. They cost you real dollars: $4.2 million per breach on average, to be specific. How many breaches could your business sustain without closing its doors?
Where should you be spending your money?
Executing a robust cybersecurity strategy means looking at every aspect of business operations. It helps to have an objective eye. That’s why many businesses start by hiring a third-party consultant. But the largest portions of most cybersecurity budgets are spent on on-premises hardware, software and other tools, skilled staff, and cloud-based security solutions.
The threats businesses face today are different from the ones they faced just a few years back. Adopting new technologies that make the business more efficient and improve customer relationships may be vital to remaining competitive. But it may also usher in new security risks. That’s why re-evaluating your cybersecurity strategy and budget periodically is essential.
Today’s greatest risks
Cybersecurity analysts have named several threats as the most pervasive in 2022:
- Ransomware: According to CrowdStrike, there was an 82% increase in ransomware-related data leaks between 2020 and 2021
- State-sponsored threats: Over the same period, the number of cyberattacks perpetrated by China alone increased six-fold.
- Threats to cloud environments: As businesses continue to migrate toward cloud-based operations, cybercriminals will focus their attention on exploiting cloud vulnerabilities. Half of all organizations store confidential information in the cloud and their numbers are growing. For example, how ubiquitous is the use of Google Drive and Dropbox in your company?
- Identity and access management: Just as consumers need to protect their identities, businesses must take precautions to safeguard the identities of employees who have access to their data systems. .Verizon’s 2022 Data Breach Investigations Report found that 50% of data breaches could be traced back to compromised credentials.
The threat from within
Not all cyber threats are external. Vulnerabilities exist within your organization. Employees commonly have access to reams of confidential data and it’s a formidable challenge: every member of your team represents one more threat.
The most effective cybersecurity strategies addresses identity and access management problems head-on. Here are a few of the challenges they attempt to tackle:
Weak passwords
Educating employees on how to create strong passwords is just the first step in solving the password problem. Businesses should also focus on compliance because, let’s face it, passwords are a pain in the rear and many employees would just as soon not follow the rules.
You may be able to relieve employees of their perceived burden by installing biometric identification technology on electronic devices. Fingerprint scanning, facial and voice recognition, and even heart rate sensors are just some biometric identification options available.
Weak authentication protocols
Passwords can be shared. They can also be stolen when employees exercise poor password hygiene—like writing their passwords down in a smartphone note.
Increasingly, businesses are using two-factor authentication as a cybersecurity tool. But that may not be enough. Hackers have become adept at circumventing two-factor authentication. This has prompted many security experts to recommend multi-factor authentication.
If MFA sounds like overkill, you may want to consider a step-up authentication process that requires additional forms of identification when users request access to more sensitive data.
Provisioning and deprovisioning
Every time an employee joins your team, you give them access to multiple applications and databases—email accounts, your CRM, and your company’s HR portal, to name just a few. The number of separate identities your company has to manage grows with each new employee, each new application you provide, and each time an employee needs access to another level of information. That’s the provisioning side of identity management and it's important to keep a firm grip on it. Why? Because how well you do provisioning has a direct effect on how well you’re able to do deprovisioning.
When an employee moves into a different role and needs different tools to do their job or leaves your company entirely, it’s important to deny access to their many accounts. Without fast, accurate, and complete deprovisioning, you expose your company to greater risk.
There are two ways to mitigate the risk posed by provisioning and deprovisioning. The first is to adhere to a “least privilege” strategy. Employees should only have access to the data they absolutely need to do their jobs—and only for as long as they need it. The least privilege approach can curb what’s known as access creep; a gradual process that puts too much information in the hands of the wrong people. Many companies address provisioning and deprovisioning management using automated software. That’s something you may want to budget for, particularly if you manage a large company.
Free cybercrime resources
From mobile malware to supply chain attacks to hacktivism, businesses face an ever-changing list of threats and experts predict cybercrime will continue to proliferate. Cybersecurity Ventures predict a 15% year-on-year increase in the number, scale, and cost of attacks, suggesting that losses will reach $10.5 trillion in 2025.
In addition to honing your cybersecurity strategy and increasing your spend, you can also take advantage of free cybercrime resources. Here’s a short list of government and industry organizations that can help you improve your cybersecurity position and mitigate the costs of cybercrime:
Access the latest business knowledge in IT
Get Access
Susan Doktor
Susan Doktor is a journalist and business strategist whose work focuses on finance and technology. Her contribution comes to us courtesy of Money.com.
Comments
Join the conversation...