If you are unsure whether your business has the right protections to avoid costly data breaches, you’re not alone. Most SMBs in the UK are unprepared when it comes to dealing with cyber threats.
In my role as a cyber security expert here at Babble, I’ve spent years helping businesses like yours implement effective cyber security strategies and proactively improve their cyber security posture. But one of the first questions I almost always get is “How much should I invest in cyber security?”.
In this blog, I’ll break down the must-have areas of investment and cost considerations that will make sure your cyber security budget covers all the bases. I’ll also mention some common mistakes SMBs make when allocating their budgets. By the end of reading this, you’ll know exactly where your money needs to go.
–
When most people ask what goes into a cyber security budget, what they really want to know is how much they should be spending in the first place. I’d recommend 15 to 20% of your total IT budget. Yes, that might seem like a hefty chunk, but consider this: the fallout from a cyber breach — think lost intellectual property, money down the drain, and a trashed reputation — that’s going to hurt way more than that initial spend.
Now that you know how much you should invest, let’s talk about where you should invest that money. A cyber security budget has three fundamental areas of investment: people, devices, and places. They form the foundation for any cyber security budget that no business can afford to cast to the side. Think of it as securing your business from all angles.
While most IT managers think of purchasing new tools and technologies when they think of investing in cyber security, I always like to start with the people aspect. Why? Because people are the biggest cyber threat. Whether an incident happens on-site or remotely, a device is compromised. The step before that is usually someone made a mistake – like clicking on a suspicious link – not because of some super advanced hack. This highlights that human error is a critical vulnerability to address in your cyber security strategy.
I cannot stress enough how crucial user awareness training is. All the tech you purchase is only as good as the people using it. So, they need to know just what goes into keeping your business safe. The good news is that investing in your people is the most effective solution, and is usually the lowest cost.
In the modern workplace, employees frequently use a variety of devices, often in remote settings. These devices act as entry points to the organisation’s network and data. Think of your devices as a doorway to your business. Not securing them is like leaving your front door open – which would be less than wise, regardless of the neighbourhood you live in.
If any device in your organisation is compromised, you need to ensure that you have proactive measures in place that will limit the damage of a data breach. Securing devices is therefore a critical priority, particularly given the rise in remote working and the fact that people are constantly traveling. As such, it’s important to implement robust security measures like Multi-Factor Authentication (MFA) to ensure only authorised personnel gain access to these devices.
Because your organisation’s devices connect to a network, the security of that network is another key part of your security posture. Having a stable enough connection to do your job is one thing, but it’s more important to make sure that said connection is secure. Doing so requires traditional firewalls at the very least. You need firewalls in your head office, data centres and even your smaller remote sites.
I like to use another analogy when breaking this down for my clients. Think of your network as a kingdom that needs strong castle walls (firewalls) to protect your data while effectively controlling traffic within your organisation.
With that in mind, it’s important to consider that many cyber security solutions can be delivered as a monthly service, which can be more financially manageable for businesses.
I’m seeing a lot of customers taking this approach: anything that can be done on an OpEx monthly basis rather than a big CapEx investment is right for them. This gives them much more flexibility and choice, which is especially helpful because if your business is growing or your capabilities needs change, you can scale your security solutions accordingly.
Let’s unpack what these costs look like:
In a recent report, the UK’s National Cyber Security Centre (NCSC) has made it clear that most UK SMBs – who are a major target – aren’t ready for the cyber attacks coming this year. This is a swift reminder that we all need to step up our cyber security game – and quickly. But before you rush to buy the latest cyber security tech, here are some common mistakes that you should avoid so you can spend that 20% wisely:
Ultimately, a solid cyber security budget will be one that is tailored to your specific business needs. The best way to do this is to get in touch with a cyber security expert who can help you understand your unique situation and allocate resources to suit those needs.
Remember to cover the essentials in your budget: training for your people, securing your devices, and protecting your network. Opt for flexible, monthly service options to avoid large upfront costs and adapt to changing needs. Lastly, diversify your security solutions by using multiple vendors.
At Babble, I understand the challenges SMBs face when it comes to cyber security. I’m committed to providing expert guidance and support to help you make informed decisions.
As you get ready to put your budget together, be sure to check out my blog on the 5 Essential Security Tools Your SMB Needs to Have.