One of the most difficult aspects of developing a plan of attack in regard to cybersecurity is the realization that there will almost always be a limitation on budget. If I were to be in charge of where these funds went, I believe I would prioritize training over improving technology.

  When it comes to cybersecurity, humans are the weakest link. Humans evolve at a fraction of the pace that machines do and as such, businesses must learn to properly accommodate for this gap in security. With ninety percent of all successful data breaches starting from phishing attacks, it is crucial that staff are properly trained to counter social engineering attacks. 

  While not all of the budget should be diverted towards training, it is important that enough be spent to ensure staff are well versed in common avenues of attack. Training regarding protecting one’s email and what information qualifies as “top secret” would be a part of every department of the business. Oftentimes, when staff are not trained, vital information can be coaxed out of them with little to no effort if staff are unaware of what information should not be shared. For example, staff should know to not use links within emails to login to services and instead head directly to the site in question before entering sensitive information. Other times, if staff are conscious of what information is strictly “off limits,” they are infinitely less likely to accidentally volunteer said information to an untrusted third party.

  In terms of technology, any money not spent towards staff training in regards to the above elements should be used to further the company’s technology. Things like software upgrades and additional programs are extremely beneficial to the security of any given company but in the end, it is still much easier to upgrade machines than humans and companies should be designed to accommodate for such.