The functioning of companies is becoming more and more dependent on technology, at the same time cybercriminals are becoming more and more advanced in their attacks. Therefore, it is also natural that companies will have to invest more and more in their cyber security.

Cybersecurity prices have also been on the rise in recent years. Across all business sectors, we are more dependent on technology, which means more opportunities for cybercriminals to steal data, hold systems for ransom and generally leave a trail of destruction for the companies they attack.

Is spending a lot of money on cybersecurity the solution? Investing money in the issue alone is not enough. It is especially important that the money will be invested in the most efficient way for your business. Thus, understanding your organization's cyber vulnerabilities is essential to keeping your business as protected as possible.

Some companies calculate their IT budget as a percentage of the company's revenue. This budget is often influenced by a number of factors such as the industry the company is in, is it a large or small company? Large companies often have a larger IT budget.

As a benchmark for your IT budget, a 4% rate is recommended regardless of your business. This is because no industry or company, no matter how large, is immune to a cyber attack or data breach, or to the financial impact a cyber incident can have.

This answer is not the same for every company. Before you spend money on your cyber security, it is crucial to do a thorough analysis of your cyber vulnerabilities. Only when you know what vulnerabilities exist can you strengthen your defenses. If you don't do a careful analysis you risk spending too much on the wrong 'solutions'.

Training and awareness are just as important as the latest technical solutions. After all, most errors are caused by human and process errors. So your cyber security strategy must be reflected in your company's daily policies.

• What are our key assets that we need to protect in terms of data, systems and processes?
• What are our existing cyber security capabilities?
• Are there any unused features among our current tools?
• How much new investment is integrated into existing processes?
• Can we decommission a tool if a new one overlaps and provides better protection?
• Will the capabilities we acquire be effectively used and managed by the existing staff? Or will we need to hire new people?
• Should we invest more in cybersecurity training for employees?
• What threats should we prioritize and what budget should we allocate for them?
• How do we ensure that our cyber security resources are deployed where they are most needed?
• How much risk is the company willing to accept?
• The gap between risks and capabilities is what investments should focus on. However, targeting and addressing gaps is only the first step. You also need to ensure that you spend in such a way that your existing capabilities are preserved as the threat landscape evolves. Otherwise, you may find that you are simply creating new gaps and exposing your business.

No idea where to start with your cybersecurity policy? Follow a CS improvement path with one of the Vlaio's accredited service providers for your company's security. Approved custom service providers can now apply for CS improvement pathways regardless of their SME status.

Source: Gallagher & VLAIO