Like all organizations, yours needs to keep up with new cybersecurity threats. What you did this year isn’t going to be enough to protect your business next year. But where should you focus your IT cybersecurity budget in 2020?
In this post, which is part of our series on IT budgeting for 2020, we discuss major changes in four key cybersecurity areas and offer key takeaways for your budget planning. You’ll also see examples from different sectors, including real estate, manufacturing, financial services, and municipalities.
Other 2020 budgeting posts cover key budget questions and the top five budget mistakes to avoid.
Focus area #1: Security Technology
Security technology does more so it costs more, plus you need added layers.
Business technology platforms, tools, and services now have to work harder to protect your IT environment. Cybercriminals are sophisticated and greedy, so organizations need to be proactive and vigilant. Standing still is like going backward when it comes to your cybersecurity budget.
• Is your IT budget ready for 2020? Our IT Budgeting Guide for 2020 can help – download here.
• Use our Cybersecurity Partner Interview Guide to find the right security partner for your company.
Review each of these items to make sure your 2020 IT budget is sufficient to meet your needs:
- Effective email security: The vast majority of cyberattacks still originate from email. Basic spam filters and email protection have not been built to detect anomalies, spoofing, fake origination sources, and other malicious emails. Advanced email platforms use artificial intelligence (AI) to learn email communications relationships and have technology that detects and blocks suspicious emails by spotting minute details the human eye can miss.
- Security monitoring services: Incidence response is much faster and more effective when your network activity is monitored for intrusions. If you don’t know an intrusion is happening and don’t have a team ready to shut it down, your business will take a bigger hit, especially if your financial system is affected. Network monitoring has always been important for productivity reasons but monitoring for security reasons is now another critical layer to add.
- Threat intelligence subscription: Subscribing to a service that provides worldwide real-time threat information allows your internal security team to act proactively. Participants in the service share technical information about threats as they’re discovered, allowing other participants to check their systems for the same threat. This crowdsourcing creates what can be considered a global cybersecurity “Most Wanted” poster.
- Risk assessments and penetration tests: These important security benchmarking activities are more important than ever. If your organization has been using them sporadically, it’s time to formalize your process and include them in your annual budget.
Real-life example: Man-in-the-middle attack on a real estate company
A real estate company that buys and sells properties conducts a lot of discussions by email. When these discussions include information about transactions, traditional email security doesn’t offer enough protection against targeted attacks.
Scammers infiltrate email accounts by using stolen login information from breaches to access email accounts and secretly change the preferences to automatically forward all email to a third-party email address. By eavesdropping on email conversations (sometimes for months), scammers can use a variety of methods to trick the real estate company’s employees into transferring funds to the wrong accounts.
These include tactics such as:
- Creating copycat websites with URLs nearly identical to those of the real websites
- Intercepting and quickly changing specific email content such as bank routing and account numbers
- Spoofing messages and email addresses
The employees on either end have no idea there’s a man in the middle meddling with their communications.
This is a favorite technique used by organized crime because the payoff is so high — there are even publicly advertised seminars on how to excel at man-in-the-middle attacks. Advanced technology that detects and blocks these types of attacks is available for around $5 to $10 per month per user.
Key takeaway #1: Budget to include the platforms, tools, and services your company needs to protect against sophisticated and pervasive attacks in 2020.
Focus area #2: Cybersecurity Insurance
More payouts and more risk translate to higher premiums in 2020.
Over the last year, insurance payouts for cybercrime have soared. In 2018, organizations made more than 12 million first-party cyber insurance claims.
Michelle Kerr, associate editor of Risk & Insurance Magazine, states, “Cyber criminals are now pocketing an estimated $1.5 trillion annually — five times the approximate cost of natural disasters in 2017 and $500 billion more than U.S. insurance industry net premiums written in 2017, according to S&P Global Market Intelligence.”
Expect your cybersecurity premiums to be higher in 2020 as a result and be prepared for the possibility that a policy may be harder to get – or even impossible – if your cybersecurity practices are too risky.
Insurance companies are vetting customers more thoroughly and pricing risk levels into the policies. Providers will want to know more about your specific IT security policies and procedures and your plans for recovering from an IT disaster. For example:
- How do you keep customer, client, partner, and employee data secure?
- How are you protecting your intellectual property?
- Do you adhere to permissions-based access protocol?
- What are your protocols for detecting and recovering from negative events?
- Do you have encrypted, offline backups that are stored in different locations? (See Focus Area #3 below.)
Have your answers to these questions from PwC ready as well.
If your organization has solid security processes and you’re able to get insurance at a reasonable premium, you could still face significant losses if your company doesn’t always adhere to your processes.
Something as simple as an employee mistake or a firewall not being configured correctly could trigger a denial when you make a claim. For 2020, upping your cybersecurity game will not only better protect your organization but it will help keep your cyber insurance premiums down as well.
For a good primer on cyber insurance, take a look at The Ins and Outs of Cybersecurity Insurance from The Wall Street Journal.
Real-life example: Higher insurance premiums blindside bicycle manufacturer
A bicycle manufacturer has an innovative design for a new bicycle — it might be a game-changer in the marketplace. Bicycle manufacturers overseas want to steal that design.
Since the innovative bicycle manufacturer is more focused on designing and producing new products than following cybersecurity protocols, security practices aren’t always a priority. Tools and training aren’t updated regularly and employees sometimes cut corners. And like many manufacturers, the company isn’t aware of all of its vulnerabilities, including the fact that hackers can access the wireless technology it uses in its plant or that seemingly minor IT problems can disrupt its supply chain and production.
When it comes time to renew its cybersecurity insurance, the company executives are shocked by the new premium. They didn’t budget for the increase and now have to scramble to either quickly make network improvements – which is especially tough when in a hurry – or move budget dollars around.
Key takeaway #2: Ask your broker for any required paperwork and a renewal quote early in your budgeting process so you know what to expect for 2020.
Focus area #3: Ransomware-resistant Backups
Budget for keeping backups offline and isolated.
When ransomware infects your network, its goal is to cause you enough pain that you succumb to the ransom demand. That’s why ransomware also encrypts any backups it finds. It’s exponentially harder to recover from ransomware when you don’t have access to your backups.
Ransomware attacks against U.S. businesses have skyrocketed over the past year. According to the anti-virus firm Malwarebytes, ransomware business attacks increased 363% year over year in the second quarter of 2019.
Cybercriminals have learned it’s more profitable to go after businesses and institutions than consumers — businesses are more likely to pay and will pay higher ransom amounts. Exploiting unprotected Windows systems and phishing scams are the most common ways ransomware makes its way into company networks.
To protect your company against this increasing threat, budget for updating your back-up methodology so all backups are:
- Offline
- Isolated from open and local networks
- In a different location from your servers
- Inaccessible to computers and other devices that could potentially be infected by ransomware
Just as it used to be risky to keep tape backups in the same room as your servers in case of fire or other disaster, it’s equally risky to allow malware access to your backups. Switching to a cloud-based, third-party disaster recovery solution is one way to reduce this risk (see Focus Area #4 below).
Real-life examples: Organizations submit to massive ransom demands
The most widely reported ransomware cases are those that hit municipalities. For example, the City of Riviera Beach, Florida paid a $600,000 ransom in June, the City of Lake City, Florida paid a $460,000 ransom shortly after that, and Jackson County in Georgia paid a $400,000 ransom earlier in the year.
When the City of Atlanta was hit with ransomware last year it didn’t pay the $51,000 ransom but recovering from the attack has cost the city millions. Cyber insurance often covers most of the cost, as noted in Focus Area #2, but premiums for cyber insurance are rising along with the requirements to get coverage.
Businesses aren’t required to report ransomware attacks or ransom payments. Still, the FBI received 1,500 ransomware reports in 2018 and ID Ransomware – a free website that helps companies decrypt files – gets 1,500 requests for help every day.
One of the largest private-sector ransom demands to date occurred this month. Grays Harbor Community Hospital and Harbor Medical Group in Washington were hit with a $1 million ransom to decrypt patient files after an employee clicked a link in a phishing email.
Key takeaway #3: Include retrofitting or migrating your back-up solution to one that’s ransomware-resistant in your 2020 IT budget.
Focus area #4: Disaster Recovery
Reduce DR costs and improve recovery by migrating to DRaaS.
Think about moving to a cloud-based DR solution in the same way you think about implementing ransomware resilience for backups — security, speed, and effectiveness are key. For DR, you can likely reduce your current costs as well.
Disaster Recovery as a Service (DRaaS) technology now makes sense for most companies, regardless of their size and sector.
Third-party DRaaS solutions:
- Are not connected to your company’s network
- Store backups in physically safe, highly secure redundant environments
- Allows simplified management and verification through dashboards
- Provide faster recovery than traditional DR solutions, due to advanced software
- Include evidence-based management and reporting
Traditional DR requires that you duplicate your primary data center, which includes duplicating the infrastructure, management, and updating procedures as well. In contrast, the monthly subscription cost of DRaaS is based on the number of virtual servers and the amount of storage you need. Even if you need a lot of storage, the cost will very likely be lower than owning duplicate infrastructure. Predictable OPEX costs make budgeting and forecasting easier as well.
Real-life example: Better recovery processes for two healthcare companies with different needs
A healthcare company has employees who are spread over a wide geographic area. For many years, the company has been using a variety of cloud platforms to get work done. The sales team uses their own devices to access the platforms and rarely goes to the office to sync their laptops with the network servers. As a result, the company has important data spread out across many cloud platforms, which puts the data at risk if any of the platforms experience IT problems. Often when a cloud platform goes down, so does its backups.
The healthcare company is, therefore, at the mercy of its cloud platforms to access its own data, resolve network issues, and restore platform services and backups. Relying on cloud platforms for both the service and the backups is risky business.
A formalized DRaaS plan backs up all business data from cloud platforms into a single, secure, offsite central location that’s available when needed.
DRaaS auto-backups for remote workers are currently priced at around $10 per user per month.
A different healthcare company faces a different set of cybersecurity risks. As a private practice, it meets its regulatory requirements by securely running and storing electronic records on servers at the office. These include patient records, appointments, billing, and the other data it needs to operate the practice. An electrical event at the office (or a myriad of other disasters) can destroy the servers. If the practice doesn’t have up-to-date, verified, offsite backups, the records can be irretrievable.
DRaaS is managed by IT professionals who specialize in the latest back-up technology, includes back-up monitoring and verification, stores backups offsite, encrypts data in transit, and requires a key (code) to access any back-up data.
Key takeaway #4: Whether your business operates primarily in the cloud or primarily on-premises, include DRaaS migration (or, at minimum, DRaaS upgrade research) in your 2020 budget.
Focus your 2020 IT cybersecurity budget on today’s most pressing concerns
By looking at the four areas of greatest concern for the coming year, your organization can develop an IT cybersecurity budget that will effectively address your greatest risks and reduce the likelihood of business disruption.
To ensure your bases are covered for your 2020 budget, be sure to:
- Include new technology that protects against the latest cyber threats
- Learn about any cyber insurance changes early so you can budget for them
- Guard against ransomware by keeping backups offline and isolated
- Make sure your DR solution meets your current needs