5 Ways to Increase Cyber Resilience Amid Strained IT Budgets

As companies gear up to stay profitable despite economic uncertainty, chief security officers (CISOs) are under pressure to optimize budgets. And no technology investment is immune to this trend – Gartner foundOpens a new window that companies intend to spend less on data center systems (-9.7%), software (-6.7%), devices (-15.5%), communication services (-4.5%) and IT services (-7.7%) this year. 

Several other surveys confirm this. When Barracuda Networks Opens a new window took a closer look at cybersecurity spending in 2020, it found a clear downward trend. More than two out of five businesses have cut cybersecurity budgets due to COVID-19-related financial pressures. 

Meanwhile, cyber threats and attack tactics keep evolving. Another surveyOpens a new window found that there was a massive 667% rise in COVID-19-themed phishing attacks. “There are up to 6,000 new servers on the internet that have a domain name related to COVID, and we know that well over a third of them are being managed, run, or hosted by nefarious actors,” said Opens a new window Jim Guinn, head of cybersecurity at Accenture.

In this environment, CISOs need to strike a careful balance between robust security and budget optimization, if they want to keep businesses safe. 

Learn More: Amid Cutbacks in Cybersecurity Spending, Budgets Will Shift to IAM and Cloud 

5 Tips for Balancing Enterprise Security Needs with Cost Targets 

Dell Technologies’ recent poll on cybersecurity threats surfaced an interesting insight: companies are NOT afraid of the new or the unfamiliar. Instead, the biggest causes of concern are common (you could say age-old) issues that are mostly preventable. 

This is good news for CISOs. It means that a select few prevention strategies could go a long way in safeguarding business perimeters and keeping threats at bay. 

1.  Cybersecurity begins at home, so double-down on training 

Appropriate education and cybersecurity training can help inform employees about threats they could encounter during their daily workflows and become more resilient to phishing scams. The training serves two purposes: 

• Educate employees about the most common modus operandi of threat actors. For example, they should know all about phishing emails, password best practices, safe browsing protocol, etc. 
• Familiarize employees with the correct reporting mechanisms. If/when they meet with an unfamiliar or suspicious digital incident, they should know precisely how to report it and which stakeholder to turn to for redressal. 

There are several ways to train your employees. For companies with adequate digital competencies, leveraging in-house resources is a good idea – it saves money and ensures that your teachers are already familiar with learners’ digital habits, work requirements, and level of expertise. 

Companies outside of the digital industry (e.g., a mid-sized brick-and-mortar retail chain) could outsource cybersecurity training. It eliminates the need to hire full-time cybersecurity resources while providing you with access to industry experts – and this brings us to the next point.

2. Offshore urgent cybersecurity projects to reduce deployment timelines 

Some cybersecurity projects cannot be avoided or delayed, no matter the economic climate. For example, if you have recently revamped your entire website architecture pre-pandemic, you might need to put in place new and additional network security mechanisms. Outsourcing is an effective way to bring in proven expertise at optimized costs. 

CISOs could look at the following alternatives: 

• Tap into a cybersecurity consultant for a limited time retainer 
• Partner with a cybersecurity vendor who also provides services
• Work with leading system integrators (SIs) who also have cybersecurity knowledge 

Remember to carefully weigh the pros and cons of outsourcing; for instance, access to privileged assets or sensitive information shouldn’t go outside the enterprise. “As with any outsourcing decision, you need to understand what needs to stay in-house due to its strategic importance to the business and availability of competent suppliers and what can safely be outsourced,” advises Opens a new window Udi Mokady, the Founder, President and Chief Executive Officer of CyberArk. 

Learn More: Twitter Hack: How to Reduce the Risk of Insider Attacks

3. Encourage a culture of healthy skepticism 

There’s no way around it: employees are often the biggest threat to a company’s security posture. Threat actors could take advantage of an underlying sense of fear or apprehension to convince employees to open a link an email/click on a link. This is a massive risk now because: 

• Most of us want regular updates on the pandemic, multiplying the possibility of someone opening emails with COVID-19 or related keywords in the subject line. 
• Widespread work from home (WFH) means that the usual email security measures may not apply. It is time to revamp the IT security policy. 

Here’s where skepticism can help. Simple steps like double-checking a sender’s email ID before opening attachment (without relying on only the name) can help employees stay wary of suspicious activity. And this applies to all aspects of digital interactions – glaring grammatical errors in the email body, official announcements from a .com (instead of a .gov) domain, etc. 

The key to nurturing a culture of skepticism is often training. But team leaders, managers, and senior executives should also set an example by imbibing skepticism into their digital behavior patterns. 

4. Reimagine cybersecurity protocol for a WFH world 

Your pre-pandemic security processes may not be fully relevant to employees now working from home. For instance, someone might choose to login to their official email from a personal device, potentially risking online assets. An updated security rulebook will guide employees across the many security requirements and mandates arising in a WFH world. 

Interestingly, this is among the most cost-efficient measures CISOs can take. With careful planning, well-thought-out what-if scenarios, and detailed explanations, you can prepare employees to work safely from home for as long as required. “As many businesses enter their third month of remote working, it’s time they refocus efforts on tackling this growing cyber-threat,” said Barracuda Networks CTO, Fleming Shi. Some of the key focus areas include: 

• Clear BYOD policies that restrict personal devices from connecting with the corporate network.
• A privilege hierarchy, where employees have access to assets, information, and network systems only when necessary. 
• Strict password rules, such as frequent password changes and sharing restrictions. 
• Regulation of internet access during work hours/on work devices, so that employees do not visit websites known for spreading malicious software.

5. Consider the cloud as a budget-friendly alternative 

The cloud can be a helpful lever for organizations trying to strengthen cybersecurity at limited costs. To begin with, cloud-based remote IT allows IT managers to enforce cybersecurity policies on remotely-situated employee devices. Further, the cloud lets CISOs pay as they go, adapting cybersecurity capabilities to the most relevant requirements without any investment leakage. 

Learn More: Why Organizations Need to Talk About Cloud Security: Bitglass CTO

Takeaway

As enterprise priorities shift during and after the pandemic, CISOs will need to rethink cybersecurity decisions in line with budgetary constraints on one hand, and industry demands on another. In addition to the five tactics discussed, they can consider open-source cybersecurity solutions that can lower the spends on underutilized software and free up your budgets for a sustainable cybersecurity strategy. 

How have you coped with the cap on IT spending? Comment below or let us on FacebookOpens a new window , LinkedInOpens a new window , and TwitterOpens a new window . We would love to talk about it in detail!