It can be overwhelming to think about budgeting for cybersecurity. Where do you start? What do you focus on? How do you know what you need most?
Next year – 2019 – is a great year to start thinking about the “people” aspect of cybersecurity. Typically, IT budgeting involves planning for hardware and software purchases. But there’s also a human factor at play.
A 2018 Proofpoint report indicates that most of today’s cyberattacks are designed to take advantage of human error vs. software flaws. All the technical controls in the world can’t stop someone from giving out a password or emailing sensitive information to the wrong person.
When it comes to budgeting for the human factor in cybersecurity, here are a few recommendations on where to focus your dollars.
Interactive Employee Awareness Training
There’s no better way to prepare your employees to defend your organization than effective, interactive employee awareness training. (In fact, this can be far more effective than a next-generation firewall.)
In the past, bad actors spent time trying to find their way into a network via a firewall, open port, or server. Since then, they’ve figured out that employees are the fastest, easiest way to access an organization’s data. They’ve become very good at targeting individuals and convincing them that their requests and communications are legitimate.
Through proper awareness training, you can prepare your employees for these threats, help them recognize iffy behavior, and empower them to say “no” when bad guys (or even other employees) ask them to do risky things.
Online training is a good start – especially when no other training currently exists – but the most effective way to address the human factor in cybersecurity is through face-to-face, collaborative training, with back-and-forth conversation, real-world examples, and lots of time for questions.
There are three different types of employee awareness training to budget for:
- General employee awareness training: training for everyone inside your organization, regardless of role or job title.
- Training for executive management and/or the board of directors. This training walks leaders through the specific roles they play in cybersecurity.
- Education for your IT and information security teams. Training for this group helps them prioritize risks, understand possible ways to lower risks, and identify the best methods to improve cybersecurity posture (such as a vulnerability assessment).
When searching for an organization to provide employee training and education, look for a partner that will work with your schedule to plan sessions during times that work best for your employees. Also look for someone that focuses on employee training as a core competency; they’ll be well-versed on how to uniquely shape training for your organization.
Check to see whether phishing tests are done as part of the employee awareness training (and ensure that no one will be singled out during training!). This can be a good way to gauge current security-awareness levels. After training, these tests can be repeated so you can track improvement. The results offer a measurable, quantifiable way to demonstrate that your cybersecurity investments are paying off.
Protection for Employees
There are also technical solutions to budget for. These solutions protect employees from themselves (and the risks they inadvertently take) when it comes to email, web, cloud, and social media usage.
For example, there are technology solutions you can deploy upstream to examine and quarantine suspicious emails before they reach employees. Downstream, there are tools that allow you to respond quickly when an employee violates a cybersecurity policy and puts your organization at risk.
To know what exactly to budget for when it comes to employee-protection tools, we recommend working with a cybersecurity and compliance firm that can help you identify your biggest risks and vulnerabilities. What you learn about your staff during employee awareness training can also help you narrow in on the types of advanced protection tools you may need.