How to handle cybersecurity amid a tight IT budget

There are ways to maintain and even enhance your security posture even when your tech budget is under stress, according to Kaspersky.

istock-1165968532.jpg

Image: iStock/Blue Planet Studio

Ensuring that your organization's cybersecurity defenses are as strong and effective as possible can be a challenge under ordinary circumstances. But when your IT budget is limited, the challenge becomes even greater. A report published on Wednesday by security provider Kaspersky looks at how businesses have managed their cybersecurity in the face of IT budget cuts for 2020.

SEE:  Cybersecurity: SMBs are keeping up with big companies, according to Cisco survey (TechRepublic) 

Based on a survey of 5,266 IT business decision makers across 31 countries in June 2020, Kaspersky's report "Investment adjustment: aligning IT budgets with changing security priorities" found that the overall IT budget has fallen.

Specifically, the budget dropped to $54.3 million in 2020 from $74.1 million in 2019 for enterprises, and to $1.1 million in 2020 from $1.2 million in 2019 for small and midsized businesses.

Yet the slice of the budget devoted to cybersecurity has risen, growing to 29% this year from 26% last year for enterprises, and to 26% this year from 23% last year for SMBs. Further, more than 70% of the respondents said they expect their cybersecurity budget to continue to increase over the next three years.

security-budget-percentage-overall-it-budget-kaspersky.jpg

Image: Kaspersky

Just 10% of those surveyed said their organization plans to spend less on IT security over the near term. The main reason cited by enterprise respondents for this decline is because top management didn't see the point in investing so much money in cybersecurity. Among SMBs, the main reason for the drop stemmed from a need to trim company expenses. Smaller companies have been hit especially hard by the coronavirus pandemic and lockdown.

But even in the face of budget issues, organizations must find a way to prioritize cybersecurity needs. As such, Kaspersky offers the following recommendations:

Use a risk-based approach when planning your cybersecurity budget. Look at the threats most relevant to your industry and company size and then consider the cost to the company and the probability of risk occurrence when prioritizing what to address first.

Consider outsourcing. Outsourcing can be a good option for organizations that don't have the necessary internal expertise or risk assessment processes. Using a guaranteed service level agreement (SLA) with any third party and moving your costs from capital expenditures to operating expenses are two ways to keep security spending under control.

Train your IT staff in security. Provide all your staff with basic cybersecurity hygiene training. Dedicated training courses that teach security practices can use formats that help employees remember cybersecurity rules. Also make sure you continue to improve the skills of your IT security workers so they can defend your organization against even sophisticated attacks. For example, you might want to seek out online training that covers threat hunting with YARA rules.

Combine endpoint protection with detection. Businesses need to stay vigilant and always use a dedicated cybersecurity solution that combines endpoint protection with detection capabilities. If necessary, turn to a free endpoint security tool, such as Kaspersky's Anti-Ransomware Tool for Business, which protects PCs and servers from ransomware, cryptominers, adware, pornware, and more.

Consider free, online security tools. In the midst of a tight budget, you can find some useful and free online tools to help with ad-hoc cybersecurity needs, such as checking suspicious files, IP addresses, domains, and URLs. One free site worth trying is the Kaspersky Threat Intelligence Portal.

Update your systems. Ensure that timely updates are applied to all systems, software, and devices. Also make sure that all corporate devices are protected with strong passwords.

Turn to the cloud. Security solutions that can be managed from the cloud can help protect remote offices, a key concern for cybersecurity specialists this year.

Protect against spam and phishing attacks. Ensure protection from spam and phishing attacks so that malicious actors can't profit from the credulity of employees. This is also relevant for SaaS mail services such as Microsoft Office 365.

Help your customers. To protect your customers from phishing attacks, educate them on the possible tricks that malefactors may use. Regularly send them information on how to identify fraud and what actions to take in this situation. If a customer's account is taken over, an anti-fraud solution that can detect anomalies and suspicious user behavior will be of huge value.

"Even though budgets get revised, it doesn't mean cybersecurity needs to go down on the priority list," Kaspersky's chief business officer, Alexander Moiseev, said in a press release. "We recommend that businesses who have to spend less on cybersecurity in the coming years get smart about it and use every available option to bolster their defenses by turning to free security solutions available on the market and introducing security awareness programs across the organization. Those are small steps that can make a difference, especially for SMBs."

Also see