We love getting reader comments. One of our readers recently left the following on a post about setting up a cyber security plan:
“What would you say is a good formula for determining budgeting for cybersecurity? Is it only based on costs of getting hacked? I’m with a company, with about 50 employees – don’t really think I can make the case to spend 100k a year for an it admin + cybersecurity tools (we aren’t an IT company).
We thought it was an interesting question that a lot of other businesses might have. Rather than leaving it in the comment section we decided to turn it into a post. So, what is appropriate for cyber security spending and budgeting for a small business? Or any business for that matter?
$400,000,000 Per Year…?
How about $400 Million? That would be a good number…If you were Bank of America. In a recent interview, CEO Brian Moynihan said his company would be spending that amount on cybersecurity. It might seem like a lot, but it really isn’t that high. Whether you look at their numbers from 2016, whether assets ($2 Trillion which would mean $400 million in spend is the equivalent of .02%), equity ($266 billion or .15%) or even revenues ($89 billion or .45%), it’s quite a small percentage to protect the the second largest lender in the USA.
While there’s no conventionally accepted “rule of thumb” about what percentage of revenue or IT budget should be spent on security. That being said, many of the largest enterprises who advertise their cybersecurity budgets as a point of pride (like Bank of America or JP Morgan Chase) still only spend about .5-1% of their revenue on its associated costs. This is a small slice of the 4-6% of revenue that most small and medium businesses spend on IT, the range typically recommended by CIO magazine and others. If this held true for businesses like Bank of America and JP Morgan Chase, cybersecurity costs would generally equate between
At the enterprise level, however, this overall IT spending can vary greatly across industry, depending on the sophistication of a businesses IT systems and the composition of their revenue. According to Gartner, software, publishing and internet services can spend as much as 7.6% of revenue on IT, with similar numbers applying to banking and financial services, while industrial manufacturing, retail and wholesale, chemical, energy and construction businesses (with generally larger gross revenues and lower, but stable, profit margins) spend 1-2% on IT overall.
Economies of scale benefit these enterprises greatly, so in considering cybersecurity, think about the overall value of your data and your communications as well. If you orchestrate large wire transfers and send customer information through email, for instance, you may want advanced threat protection with encryption and archiving – more costly but ultimately beneficial systems – whereas if you’re a large organizations with many inboxes but more focused on manual labor or tangible assets, spam filtering and some endpoint anti-virus may be enough.
“IT” All Depends
Not knowing a company’s revenue or industry, it’s hard to say whether the 100k figure cited is reasonable, but as an example, basic email protection from targeted phishing and other common security threats for a company with under 50 users shouldn’t cost more than a couple thousand dollars per year. This would protect them from the main security and email threats facing your business. If you don’t have the resources for an in-house IT admin, an MSP (Managed Services Provider) can give you support and help manage your systems without incurring the costs a full-time employee might.
They should also be able to conduct the regular software updates and other activities that help build security into your everyday work, prevent against exploitation of newly discovered threats, and serve as a point of reference for your employees when anything “phishy” comes up. While most companies will always get more value and commitment from in-house IT specialists, with an MSP, you may pay a markup when compared to an hourly wage, but you also pay for only the services you get (and nothing more).
The Important Questions to Ask
Ultimately when coming up with your budget, beyond a straightforward equation for what you should spend, there are more important questions to be asked.
What is the downside risk?
If you are in a heavily regulated industry such as banking or healthcare, you need to determine how much you need to spend to ensure you have sufficiently impenetrable and compliant security. It’s still shocking every time we hear about an Equifax or another health care provider breach, and we are often biased towards trust and privacy when the likelihood of those values being properly protected are rapidly changing.
Your first step would likely be to hire a consultant and determine the bare minimum you have to spend to ensure you have an ironclad plan. Even getting a second or third opinion could offer value, as competing providers may allow you to see what is really necessary – and who may be trying to bill more than is needed. If you are getting similar answers from each of the vendors you speak with, then you are probably on the right path.
What are your must haves?
Email security, firewalls, antivirus, insurance, encryption (depending on regulation and information being shared), backups, archives and more can all be “set-and-forget”). You will need to hire an MS(S)P or other consultant to manage it all. At a certain point perhaps hiring someone full time will make economical sense – and to help train and raise awareness among your team. Build an inventory or checklist of your needs and try to think of which you should address most urgently, and which can wait until you have sufficient resources. If you can’t do so yourself, get someone on your team to take the time to research different options, find tools that fit your needs – don’t try to change your modus operandi to fit the products. And then talk to your MSP or IT consultant to get them to set you up and manage your new solutions.
A Cyber and Email Security Budget That Works For You.
At Vircom, we aren’t a massive enterprise. We face many of the same challenges as our customers. As always, the decisions we take are meant to reduce risk efficiently enough to create real peace of mind – and we know where a lot of the latest threats are emerging. A cyber security plan has to cover all your basic needs, fit in with how you and your team works, and let you sleep at night. It doesn’t have to break the bank.
This is a Security Bloggers Network syndicated blog post authored by Rob Ravensbergen. Read the original post at: Vircom | Email Security Experts