Cyberattacks against large corporations are certainly newsworthy. But hackers often target small and medium-sized businesses with data breaches and other cyberattacks. Cybersecurity incidents can cripple a business and erode customer trust, and recovering from these attacks can be costly. To prevent such devastating outcomes, it's important for businesses of all sizes to take cybersecurity precautions.
Like many core business functions, cybersecurity has a cost. But how much of your company's cyber defenses should you budget for? We explore best practices for cybersecurity budget planning, outline the costs of a cyber attack, and introduce the different types of cyber incidents to watch out for.
Do we need to budget for cybersecurity?
Cybersecurity affects businesses of all sizes. According to Netwrix Research Lab's 2023 Hybrid Security Trends Report, 68% of all organizations surveyed (large and small) experienced a cyberattack in the past 12 months. Specifically, 43% of data breaches involve small and medium-sized businesses.
Here are the benefits for small businesses of establishing a cybersecurity budget:
- Protect your business: The cybersecurity budget funds programs that protect businesses from the costs and disruption caused by cyberattacks.
- Satisfactory risk assessment clause: A funded cybersecurity plan serves as a safeguard to address third-party cybersecurity risk assessments (or other vendor requirements). Risk assessment clauses are becoming standard in contracts.
- Compliance assistance: A cybersecurity budget helps you comply with regulations such as GDPR, PCI DSS, HIPAA, and other national or state regulations that legally require companies to maintain cybersecurity standards.
- To keep your company competitive: A cybersecurity budget can help you win large projects and contracts.
Which cybersecurity areas should be included in the budget?
The field of cybersecurity is huge. When creating a budget, consider the following investment areas that small businesses should prioritize:
- risk assessment
- Business preparation and continuation
- Incident response
- Employee training
- Identifying and managing network and website vulnerabilities
- Regular scans and tests such as dark web scans and ethical hacking
- cyber insurance policy
If you're not convinced that your company needs a cybersecurity budget, consider that you're not the only victim of a cyberattack. Employees, customers and strategic partners will also be affected. The only way to prevent attacks is to increase your understanding, posture, and defenses. This is a process worth investing in for any small business.
How much should you invest in cybersecurity?
Cybersecurity spending is often tied to a company's overall IT budget, taking into account the company's size and IT infrastructure. According to the 2023 State of IT report, 54% of businesses worldwide plan to increase their IT budget due to the following factors:
- Experienced a recent security incident
- Updating outdated systems to harden cybersecurity vulnerabilities
- Strengthening security software
- Increased spending on managed security services
According to Statista, businesses around the world spend an average of 12% of their IT budget on cybersecurity. For example, if a business pays an IT managed services provider $3,000 per month to meet its IT needs, their cybersecurity budget would be around $360 per month.
However, the percentage of total IT spending devoted to cybersecurity varies widely depending on:
- Industry and company size
- Compliance and other regulations that impact your business
- The confidentiality of data you collect, use, and share
- Requests from our stakeholders and customers
Here are some tips to help you make cybersecurity spending decisions:
- Don't spend too much money at once. Creating a cybersecurity budget doesn't have to involve a huge investment of money at the outset. If you don't already have a cybersecurity budget, try incorporating a small amount into your upcoming budget. A small investment can go a long way. With a relatively small investment, you can take the important first step of conducting a cybersecurity risk assessment and start working on key improvements.
- Seek advice from your cybersecurity provider. A cybersecurity provider can help you identify the action items that are the highest priority and lowest cost for your business. From there, you can tailor your cybersecurity program and gradually increase your budget to improve protection and reduce risk. Cybersecurity is an ongoing effort, not a one-time project.
- Let the leadership of the company take hold. Small businesses often have limited budgets. In some cases, the people who create and approve budgets don't understand the importance of cybersecurity. If you're facing hesitation from management, stakeholders, or the board, perform a basic risk assessment to show where your company stands and how your investments can increase your protection. Management (board of directors, top executives, company owners, etc.) is responsible for steering the company in the right direction, and that includes protecting the company from threats.
How much does a data breach cost?
Cyberattacks cause significant damage and costs. According to IBM's 2023 Cost of Data Breach Report, the average impact of a data breach for organizations with fewer than 500 employees is $3.31 million. The average cost per compromised record is $164.
However, the full cost of a data breach may not be immediately apparent. Potential direct costs include:
- money theft
- Repair and system repair
- Regulatory and compliance fines
- Legal and public relations costs
- Affected Party Notification, Identity Theft Remediation, Credit Monitoring
- Increase in insurance premiums
Potential indirect costs include:
- Business interruption and downtime
- loss of business or customers;
- Loss of intellectual property
- Damage to the company's goodwill, brand and reputation
By taking important cybersecurity measures, you can reduce the damage and costs of data breaches. These measures include implementing an incident response team and cybersecurity plan, using encryption, conducting employee training, and securing cyber insurance.
The concept of “cyber resilience” is becoming increasingly important, and given the potential costs and detrimental impacts of a data breach for small and medium-sized businesses, every penny of budget spent on improving your company's cybersecurity posture is well spent.
Five types of cyber attacks threatening businesses
In-house IT teams or outsourced IT partners must remain vigilant about the following types of cyberattacks: Some attack vectors are obvious, while others are often overlooked.
1. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks
A DoS attack aims to overload the resources of a machine or network, making the system inaccessible to intended users. A DoS attack is performed by flooding a designated target with traffic or information, causing the system to crash.
Unlike other types of cyber risks, DoS attacks do not directly benefit the attacker. A competitor may launch a DoS attack to disrupt your website and gain an advantage, or it may be the first stage of a larger cyber threat.
DDoS attacks are similar to DoS attacks, but they are launched from many host computers. DDoS attacks aim to overwhelm and cripple a company's website or service beyond what its servers can handle.
There are many different types of DoS and DDoS attacks, but the most common are:
- TCP SYN flooding: These attacks can be prevented by placing your server behind a firewall.
- Ping-of-Death attack: Placing your server behind a firewall can help prevent ping-of-death attacks.
- Teardrop attack: Teardrop attacks are caused by vulnerabilities that are common in older versions of Windows. Multiple patches have been issued over the years. Keep your operating system up to date to prevent teardrop attacks.
- Botnets: Enabling RFC 3704 filtering and blackhole filtering can help prevent botnets.
2. Phishing and spear phishing attacks
Phishing attacks are a common cyber threat in which attackers send emails that appear to come from a trusted source. The goal is to obtain personal information, such as usernames and passwords, or to trick someone into performing a specific action, such as downloading malware onto a machine.
Spear-phishing attacks are similar, but instead of casting a wide net, attackers target individuals, taking the time to research their victims and craft messages that are personal and relevant.
The best way to prevent phishing attacks within your company is to train your staff on what to look for and how to spot risky emails and links.
3. Man-in-the-middle (MitM) attack
As the name suggests, a MitM attack is when an attacker places themselves between a user and the service the user is interacting with. Types of MitM attacks include session hijacking, IP spoofing, and replay attacks.
No single method can prevent all types of MitM attacks, but encryption and digital certificates can help prevent attackers from getting between you and your server.
4. Drive-by download attack
These attacks spread malware widely. Attackers look for insecure websites that they can hack and then embed malicious code throughout the site. When users visit a hacked website, they may inadvertently install malicious code or be redirected to a site created by the attacker. Unlike other types of cyber threats, drive-by he downloads infect users without them having to take any action like clicking a button or opening an email.
The best way to prevent this type of attack is to keep your internet browser and operating system up to date and train your staff to avoid unsafe websites.
5. Password Attacks
Obtaining user passwords is one of the oldest, most common, and most effective forms of cyberattack. Hackers can steal passwords in several ways:
- Watch someone type their password
- Search for unencrypted passwords on the network
- Rebuild your password using social engineering
- Guessing the correct password through brute force or dictionary attacks.
To protect your company from password attacks, implement a two-factor authentication policy, require employees to use strong, unique passwords, and implement a policy to lock user accounts after several invalid password attempts.
Cybersecurity can mitigate attacks, but not eliminate them
Cybersecurity is no longer a “nice to have” – it's a necessity and a necessary budget line item for any business. A comprehensive cybersecurity program doesn't have to cost a lot of money, but it does require prioritization and commitment from leadership, IT, and other employees.
However, no matter how much effort you put into cybersecurity, you can never guarantee 100% protection. Your best bet is to combine resources, testing, training, and time to deploy a multifaceted, ongoing cybersecurity program.
The cost of a comprehensive cybersecurity program is a small price to pay for peace of mind that your company is better protected.
Jennifer D'Abrino contributed to this article.