Cybersecurity protections have become a necessary expenditure for companies in the digital age. Protecting company secrets and employee information is paramount. Depending on the industry, a company is also required to protect federally regulated information as well. A data breach can cause serious reputational and financial harm to an organization. Therefore, every effort must be made to safeguard information, regardless of the size of the organization and its budgetary constraints. However, the company must assess its risk level to determine whether they should budget for more physical appliances, or if more employee training is sufficient.

            The most important consideration when developing a cybersecurity strategy are the compliance regulations that apply to the industry of the company. For example, hospitals and companies that maintain healthcare records are bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These regulations will dictate which cybersecurity controls are most important. In this HIPAA example, data classification, encryption, and lifecycle management are the most important considerations (Krishnan, 2022). This will require a company to invest in stronger physical cybersecurity appliances to meet these requirements.

            Once regulatory compliance is met, a company should then evaluate their residual risk to determine how to best allocate their remaining budget. According to DefenseStorm (2024), “Resources and budget should be allocated to areas where residual risk is elevated or where residual risk exceeds your risk appetite. These are the areas where inherent risk is higher, and control effectiveness is weaker.” In other words, stronger controls should be put in place where more training and awareness will not suffice. Despite ongoing training efforts and notifications to users, account phishing continues to be the most persistent threat against organizations. As Agnė Srėbaliūtė (2024) states, “the threat outlook for global companies highlights business email compromise and/or account takeovers (33%) as the most prominent cyber risk.” Therefore, modern companies would be wise to invest in multi-factor authentication in order to protect against fraudulent logins. This is only one example, but funds should be allocated on the most persistent threats to your organization. Training and awareness are a useful tool, but should be saved for the lowest level risks. Humans are the weakest link in any cybersecurity policy, and safeguards must be put in place to protect the organization from any malicious behavior, either intention or unintentional.

            As organizations move to protect themselves from digital threats, special consideration must be given to the risks faced by that specific company. If a company handles protected and regulated information, additional safety measures must be put in place to ensure that information is well guarded. After addressing regulatory compliance, an organization can then plan for the everyday cybersecurity threats that they will face, such as ransomware and phishing. Although training and awareness can be useful tools, humans are prone to mistakes, and even the most well-intentioned worker can cause major damage to an organization. Cybersecurity policy makers can efficiently allocate their budget by prioritizing the risks that an organization faces, and use weaker controls, such as training and awareness programs, to close any remaining gaps in their program.

References

DefenseStorm. (2024, February 12). The Price of Protection: Allocating Funds for Cybersecurity. NAFCU. https://www.nafcu.org/nafcuservicesnafcu-services-blog/price-protection-allocating-funds-cybersecurity#:~:text=Resources%20and%20budget%20should%20be,exceed%20the%20board’s%20risk%20appetite.

Krishnan, A. (2022, September 1). Cybersecurity budget breakdown and best practices. Search Security. https://www.techtarget.com/searchsecurity/tip/Cybersecurity-budget-breakdown-and-best-practices

Srėbaliūtė, A. (2024, August 29). Optimizing cybersecurity budgets: A research-based guide. NordLayer. https://nordlayer.com/blog/best-practices-cybersecurity-budget-research-guide/