All of these news headline about cyberattacks, nation-state actors and ransomware are daunting, and they’re probably keeping IT professionals and executives up at night, thinking about when they’ll wind up in those headlines themselves.
In today’s business climate, all eyes are on cybersecurity. For the most part, organizations investing heavily to secure their IT environment and keep malicious actors out of their network are doing the right thing. However, businesses need to ensure that they’re investing in solutions that are actually protecting them from real threats.
Or else, organizations could run the risk of overinvesting in cybersecurity and not have enough of a budget to hire more personnel or train end users, says Danielle Parks, a research analyst at Nucleus Research who studies the return-on-investment (ROI) of cybersecurity.
“With all of the recent attacks gong on, you don’t want your company to be the next Colonial Pipeline, and that is making a lot of companies very fearful and take the sky-is-falling approach,” Parks says.
That could overload the network, slow down endpoints and suck money away from other areas that badly need investment.
Look for overlap vs layers
Cybersecurity and IT professionals always advocate for a layered approach to cybersecurity, which means investing in solutions that address different aspects of an organization’s network security. Things like network protection, multi-factor authentication, VPNs and others all serve different purposes but all contribute to the overall security of an organization’s IT environment.
The idea there is to cover up every potential vulnerability and make it as hard as possible for bad actors to access your network at every phase. Doing so typically requires several different cybersecurity products.
However, many organizations have different solutions doing the same thing, which means the organizations is paying for things it doesn’t need, which could also be slowing down systems that end users rely on for their day-to-day work.
Over time, costs associated with systems so bogged down that it takes employees longer to do their jobs.
“That’s an indirect cost of just having an overly secure system,” Parks says.
Take a risk-based approach
Instead of blindly throwing money at cybersecurity solutions, Parks suggests a more thoughtful and strategic approach based on an evaluation of the risk an organization faces, which can help make IT spending more efficient.
Although the threat and potential damage of a cyberattack are very real, organizations shouldn’t buy into fear and spend needlessly on cyber solutions just because they’re afraid of being compromised and losing business.
Organizations should ask themselves:
- Who are the possible threat actors targeting us?
- How could they possibly get into our network?
- What have those actors and others like it done to similar organizations?
- Where are our weak points?
Some companies would be better served by a security information event management system, while others should double down on their endpoint protection investment, but that depends on where organizations are most vulnerable.
Depending on the size of the organization, nature of its business and budget, cyberattacks attacks can be handled very differently. For example, a smaller organization might be better off scrapping compromised computers and buying a new one rather than paying for software or a third-party forensics team to clean up the systems.
Think of cybersecurity as an insurance market
Parks says organizations should evaluate the size of the company, identify the company’s specific cyber risks and form a cybersecurity spending plan based off of that data.
“Once you realize how much your company’s worth, then you think, ‘Okay, how vulnerable are we to an attack? What is the risk associated with it? Are my employees going on websites that that could be potentially harmful? Do we have a system that we could receive phishing emails from?’ You have to have a rational approach.”
When purchasing cybersecurity solutions, IT directors should consider what it would be like to purchase insurance for a vehicle or real estate. When doing that, the price of insurance is always based on how much the asset is worth and the risk of it being damaged or stolen.
“Once you weigh all those risks associated with your business, you’re not going to spend more than your company is worth to secure it,” Parks says.