Business leaders everywhere are facing a range of important challenges. High on the list for many are the conflicting issues of cost and spending control alongside the need to invest more effectively to protect their organisations from the growing volume and severity of cyber-attacks.
This creates a big dilemma for CIOs, particularly those who currently need to cut costs across a range of areas, cyber security included. This comes at a time when they are being urged strongly by stakeholders, regulators and the government to prioritise security and buy more technology to fight today’s cyber threats. Business realities, however, mean that many CIOs have to do more with less.
So, how can CIOs under budgetary pressure square this circle to achieve a win-win whereby they save money and reduce risks?
Focus on good asset management
Despite lots of discussion around the IT industry to the contrary, organisations don’t necessarily have to spend a lot of money to deliver good security. When budgets are tight, it’s a good idea to prioritise technologies and processes that will lower the chances of having vulnerabilities that hackers can exploit.
For example, asset management is a key area that can help reduce cyber risk. This starts with creating and maintaining an accurate report of the IT assets the organisation owns, together with how long each asset will be retained and used. This will help ensure that software patches and updates are applied on time, closing potentially disastrous vulnerabilities and reducing avoidable risk. In addition, it can ensure that IT and security teams can fully enforce security rules, find unmanaged devices, and check which users who can access important systems don’t have protections like multi-factor authentication turned on.
A good approach to asset management will also help get rid of legacy technology assets in the right way. As part of a planned upgrade and replacement strategy, organisations can eliminate the risks posed by out-of-date technologies that are no longer provided with security patches and support, closing additional security blind spots.
Mobilise employees as the first line of defence
One of the main and most effective tactics cybercriminals use to gain access to networks and data is to target employees with phishing emails. These trick them into downloading malware, such as ransomware, or using them as a route to bypass security protocols. As a result, training employees to spot and prevent the risks posed by phishing, for example, offers an indirect way to reduce the potential costs associated with cyber security.
In practical terms, this means ensuring everyone is up to date on the latest tactics cybercriminals use, understands their role in maintaining good cyber hygiene, and knows how to react when they see suspicious emails or other potential threats. And when delivering this training, organisations should ideally deliver real-life training experiences that encourage people to participate and then apply what they learn instead of just sending emails and slides that are easy to skip. For example, this can include running tests that train employees for common attacks and making learning more fun by gamifying the learning experience.
Make intelligent security decisions
Clearly, current economic uncertainties are making many organisations more cautious than usual about their investment decisions. While spending on cyber security tools is increasingly considered a priority, these decisions will only deliver the maximum levels of protection if companies have the right security practices in place across the board.
Unfortunately, many organisations think that good security purchases negate the need for good practices, wrongly believing that it’s possible to simply buy security off the shelf. In reality, achieving cyber resilience involves people, processes and technology working together as part of a holistic strategy to keep the bad actors out. Organisations can improve their security and digital resilience by checking security processes, going back to the basics, using existing resources well, and focusing on internal training. Using cyber security tools and products wisely can then support these good practices in a very cost-effective way, maximising the impact of security spend.
Organisations can significantly improve their security and digital resilience by adopting a well-planned and diligent approach that uses existing resources effectively and focuses on effective user training. Furthermore, investing wisely in cyber security tools and products can support these good practices cost-effectively. When times are tight, this can deliver the win-win that CIOs everywhere are looking for.