10 tips on how to save money on cybersecurity
The theory is that you shouldn’t skimp on security, but in practice it works differently. Thus, companies have to carefully consider how to deal with a limited budget when it comes to cybersecurity. So how to save on cybersecurity at a time when wages and other costs are rising? The following 10 tips are based on real options that we most often find in our role as advisors to our Czech clients in medium and large companies.
1. Look for ways to consolidate security tools
While it’s often a trade-off, surveys show that up to a quarter of software tools can be cut out in companies and won’t be missed. The approach is simple – focus on making full use of existing ones. For example, smaller businesses with a Microsoft 365 E3 or E5 license can deploy a number of already included security products at very little additional cost. And if you’re already licensed for something, why not take advantage of it? Make sure if you already have solutions like EDR or XDR that they are properly deployed on each server. Stop looking for ever more advanced tools and ask who is using the tools you already have and whether their functionality is duplicated.
2. Identify the vulnerabilities in your IT operation
Classic example – a company decides to make a big migration to the cloud. And the result is not only lower costs, but also higher error rates and increasing vulnerabilities. As usual, human error and the omission of the long-known is behind most of the trouble. So keep an eye on your IT operations teams – make sure they deliver the level of quality you expect. For example, it may be that they don’t finish applying the latest set of patches by the time the next set arrives, that they are unable to apply the same level of consistency to firewall replacements, perhaps simply because they are out of date. The same applies to the actual rules set on the firewalls themselves. Track process metrics, consider the security impact at each step, and define an acceptable level of risk for your enterprise.
3. Review and, if necessary, renegotiate current contracts with external IT vendors
Some organizations already rely on external administrators for their IT security, at varying levels and scope of these activities. In addition to reducing costs and consolidating vendors, it’s a good idea to have partners who are contractually committed to meeting agreed-upon security metrics. The current climate is favorable for negotiating better contracts with vendors. One of the biggest cost items in security is simply capturing all the logs you need and managing them in a meaningful way. In this area, many of the software licensing or management costs needed have stayed the same or increased.
4. Spend your time controlling the supply chain
Supply chain control will hopefully be straightened out in companies this year by the new European NIS2 rules. Caution pays off, however, and we recommend going beyond the regulation and educating suppliers on their security practices in addition to helping them strengthen their information security programs.
5. Don’t stop training even on home turf
Every day, an average of 3.4 billion phishing emails are sent, primarily targeting login credentials – for an attacker to gain access to data or launch a ransomware attack. A scary number. A relatively inexpensive and proven way to strengthen their cyber defenses as well remains regular testing of user attention with sophisticated cyberattack simulation tools.
6. Strengthen your email protection
If you’ve organised training, you’ve probably also had the opportunity to test how your colleagues respond to typical phishing and how advanced attacks they are able to detect. Therefore, one investment you probably won’t want to cut your budget for is a licensed product aimed at identifying phishing threats based on email content. But don’t underestimate the time spent configuring this software to maximize its use and minimize its risks.
7. Focus on incident response and business resilience
If Plan A doesn’t work and training and systems don’t help, Plan B is needed. So update your incident response procedures, don’t hesitate to test them regularly, and be sure to include the entire Emergency Response Team in your training – IT teams, legal teams, communications, HR, finance and members of senior management.
8. Automate security processes
And automate what you can. Quality software and clearly defined processes will greatly speed up your threat detection and response. Average threat detection responses are in the order of minutes for quality products, while external teams take up to 1 hour to resolve.
9. Don’t be afraid to ask for better insurance
Cyber risk insurance is an unavoidable expense. And because insurers know how high the risks are, they’ve often increased their rates in recent years. As a result, cyber insurance has essentially multiplied and deductibles have increased. On the other hand, some insurance companies “reward” organizations that invest in cybersecurity and risk management. The system is similar to what your boss knows for his or her car insurance. So don’t be afraid to haggle – with a clearly defined strategy and appropriate investment, you can end up reducing your insurance spend significantly.
10. Train more, charge less
Payroll costs are rising, finding quality people isn’t easy, so it’s even more important to work with the ones you have. Invest in training more often than you invest in expanding your team. Allow your people to be a real part of the company and foster loyalty. And don’t be afraid to outsource work. But the important thing is to find capable individuals within your own ranks who have a real appetite to develop and grow in IT security and are not afraid to manage the work of contractors, for example.
What can I say in conclusion?
Remember that economic conditions will change again. It’s okay to respond to short-term needs, but think about the long-term as well. If you decide to significantly reduce your team or systems, it can have unpleasant consequences for you. It’s important to keep in mind not only your defense against cyber threats, but secondarily your ability to attract new professionals to your team in the future. On the other hand, an unlimited budget is not the answer either. The solution is to have someone who knows how to work with that budget and a team that wants to work on itself.
