While establishing an IT budget is important, your cybersecurity budget might be even more important. This expenditure should be completely separate from your main IT budgeting, and it should be taken very seriously.
Cyber attacks are more frequent than ever, and if you’re hit by one it could be a disaster for your business. While losing productivity, is of course, bad, there’s far more at risk here including potential legal consequences if you’re in a field with highly regulated data protections like health care or finance. Your clients are depending on you to keep their information safe and if you can’t, then your company will suffer.
How much should you budget for cybersecurity?
If you’re not sure how much you should be placing into your cybersecurity budget, then you may want to look to your competitors. Your goal should be for your budget exceed theirs. This makes them a more likely target than you because cybercriminals like easy money.
For those who are new to cybersecurity, a good rule of thumb is to spend 10-15% of your IT budget on these preventative measures. However, there are different levels of cybersecurity, and your needs will depend on the reach of your business and your industry. Let’s talk about these levels so you can decide what you really need to keep your data safe.
The many levels of cybersecurity
Level 0 – Anti-Virus
Cost: $0-$5 per month per user
At the very least, every one of your machines should have a proper antivirus program installed. If you have an IT team that handles the management of your devices, then this is likely already in place. However, if you’re just getting started and your staff is very small, then you may need to take care of this yourself.
Level 1 – Basic
Cost: $20-30 per month per user
Once your business begins to establish itself you should start putting a real cyber security plan in place. While most people think that their files will be compromised due to hacks, the reality is that in many cases it’s the businesses employees who let these attackers in. Make sure to have these protections in place.
- Spam Filter
A good spam filter keeps malicious phishing emails out of your inboxes. This keeps employees with little technical knowledge from falling for common scams that steal your valuable login information, giving hackers direct access to your files.
- Web content filter
Everyone browses the web at their job, but many of them don’t understand that some sites they visit could endanger the entire network. A content filter rejects these pages and keeps you safe from malware that can infect your files.
- Managed firewall
While similar to what you’d get on your home computer, a managed firewall is a serious step up in security. Managed firewall services are handled by outside companies that are experts in cyber security. They keep tabs on the web traffic entering your network and you’ll be alerted if anything fishy is going on. Stopping potential security threats in their tracks.
- Managed backups
Even with the best security, you can still end up getting hacked through an unknown vulnerability. Keeping professional backups means that you can more easily recover from an attack if it does happen. These backups should be onsite and offsite to provide the best options when security is compromised.
Level 2 – Moderate
Cost: $30-$60 per user per month
The bigger you get the more security you need. For a moderately sized business, you should make sure that you have these data protections in place in addition to the basic protections.
- Multi-Factor Authentication
This allows for more secure logins to prevent unauthorized access. Users will be asked to verify using more than one credential before being allowed to log in. An example would include entering a username and password, but then also a pin number that only they would know.
- Cyber Risk Assessment
This assessment is performed by an outside company. They will identify any potential security risks in your systems and processes and create a plan to make your company’s network more secure. The cost for this starts at around $10,000 but it can be invaluable in creating a better security plan as your company grows.
- Disaster recovery plan
In addition to creating a barrier to keep attackers out, you should also have a recovery plan in place. This includes planning how to get all of your systems back online, your data back in place and shutting out attackers if they do manage to get in.
- End-user policies
Establish an end-user policy to inform employees what their responsibilities are in protecting corporate data.
- End-user security training
A company is only as strong as its weakest link. Spend the time and resources to train your staff on proper security protocols to avoid phishing attempts.
Level 3 – Advanced
Cost: $60-$100 per month per user
- Disk encryption
Encryption keeps your data private. Even if an intruder does gain access, they won’t be able to read encrypted disks.
- Application Whitelisting
By only allowing specific programs to run on your network you can prevent malicious software from accessing your files. Whitelisting makes it so only authorized software can make changes or run.
- Intrusion Detection System
This software monitors the network for malicious activity so that it can be stopped quickly. Much the way your home security system tells you if someone is in the house who shouldn’t be, intrusion detection tells you who’s on your company’s network who shouldn’t be.
- Managed Security Operations Centre
A managed security provider can provide insights into your security. It also takes a ton of work off of your plate when it comes to managing protocols and looking for intruders.
- Mobile Device Management
Mobile devices are an unexpected way for attackers to gain access to your network. By implementing rules for usage you can protect unsuspecting users and their phones from malicious software.
Level 4 – Total
Cost: $150-$200 per user per month
- Log Collection (SIEM)
Collecting security logs which you can then analyze to find patterns leads to better cyber security. This can help you to figure out if employees are actually following protocols or where there are vulnerabilities in the system.
- Endpoint Detection and response
This software helps to identify weak points in the network, and it can help you to squash any issues before they become a problem.
- Network access control
Device compliance is key to network security. By having strong controls in place you can deny access to devices until they are up to par, preventing many security threats.
- User Behaviour Analytics
Some threats may actually be coming from inside your system and user behavior tracking allows you to find those threats. It can identify patterns which it deems malicious.
For more information of cyber security visit the Australian Cyber Security Center or call Greenlight for an assessment.