The numbers speak for themselves: Nine out of 10 security leaders believe their organization is falling short in addressing cyber risks, according to Foundry’s 2021 Security Priorities Study.
And while investing in hardware and software to better protect sensitive data from cyberattacks is a best practice, it is not cheap.
However, many small and midsize business (SMB) leaders mistakenly believe their organizations are not targets, and that spending more money on IT security is wasteful if they haven’t been breached, says Candid Wüest, Vice President of Cyber Protection Research at Acronis.
Yet, many organizations allocate less than 10% of their IT budget on security, according to a new report from Acronis.
But the problem is not just with security spending, Wüest adds; small budgets in general make it difficult to fulfill all business needs.
Also, he says, many SMBs use third-party security services, making “the amount of work that goes into data protection and security, as well as the benefits of doing so, harder for the CEO or president to see.”
The security risks for SMBs are rising
The truth is that cyberattacks are getting more sophisticated because attackers are now using automation and machine learning, making it more difficult to block threats with traditional security solutions.
“This is especially true as organizations embrace digital transformation and use new online services, which need to be protected,” Wüest says. “Without adapting and updating the cyber protection stack, these security gaps will grow over time, making it easier for attackers to find holes and breach them.”
Meanwhile, employees continue to pose threats. The Acronis research found that 56% of workers lost data at least once in 2021, due to accidental deletions, app/system crashes, malware attacks, a lost/stolen device, and other reasons. In addition, 26% lost data multiple times.
Cyberattacks can be devastating to businesses of any size, causing them to incur stiff financial penalties, downtime-related revenue loss, and severe reputational damage. In fact, 76% of organizations experienced downtime due to data loss in the last year — a 25% increase over the previous year, according to the Acronis report.
Cybersecurity investment tips
So, how do you convince company executives to increase your security budget?
One way to prove the need for security software is to run an attack exercise or an external penetration test to show potential gaps in your protection stack. A list of these vulnerabilities should be accompanied by a plan with how to address them, Wüest says.
For example, having metrics on the number of blocked incidents in the IT environment can help illustrate the risks. Combine that with recently publicized examples of what could happen if an organization is not prepared, as well as an explanation of how vendors or managed security services providers (MSSP) can close gaps.
Other protection measures include strong authentication, setting appropriate access and control privileges, timely patch management, and the use of segmented networks. Also, ensure you have backups and a disaster recovery plan to minimize downtime when an incident occurs.
“These steps should be followed by a good email security solution,” Wüest says. “Most attacks start with a malicious email or phishing attack. If these threats can be filtered out before they reach the user’s inbox, then the risk can be minimized.”
Because there are many moving parts that need to be analyzed, it is also important to consolidate vendors and look for automated and integrated solutions, he advises. “This can help save overall costs and free up some budget.”