The end of one year and the start of a fresh, new one often serves as an ideal to evaluate one’s overall health fitness. This is true on a personal level, but it’s also a great time to take a step back and look at the health and fitness of your business as well.
In particular, as you are reviewing your budgets for 2019 and planning ahead, it’s a good idea to take some time to evaluate how flexible your cybersecurity budget is. Does it have enough elasticity to accommodate new types of threats and security challenges as they arise? Or is it rigid and set in stone?
If your budget tends to be inflexible, you may be handicapping your ability to manage risk and fight back against today’s complex cybersecurity incidents and attacks. When planning for 2019, we highly recommend evaluating whether your security budget is flexible enough to accommodate investments that will address new, emerging, and unpredicted risks—including the risk of insider threats.
So before you finalize your 2019 security budget, here are five pieces of advice help you build a ensure it is realistic and flexible enough to keep your business healthy in the coming year:
-
Get Real About Insider Threat
One of the reasons that many companies don’t budget accurately—or at all—for insider threat is that they don’t realize how major of an issue it can be. This is troubling, given how widespread insider threat incidents are today and how expensive they can be (the average global, annual cost of an insider threat has now reached $8.76 million.)
Yet most companies don’t have anything for addressing insider threat risks baked into their overall cybersecurity budget considerations.
Many security professionals understand this acutely: According a recent EY Global Information Security Survey, 87% of organizations say they require up to 50% more funding for addressing insider threats. However, only 12% of organizations expect to receive a budget increase of more than 25% this year. And the effects are felt: 34% of companies in a recent Ponemon Institute report said that a lack of budget is a major barrier to insider threat management at their companies.
The mismatch between how much an insider threat can cost an organization and how much is being spent to plan for and manage them is a big problem, and one that should be taken into consideration when building cybersecurity budgets for 2019.
-
Understand Your Threat Profile—Down to the Numbers
It’s common for businesses to build a cybersecurity budget without doing any major introspection on what types of threats they are the most likely to be hit with.
If you are fielding insider threats 80% of the time and outsider threats 20% of the time, then your budget should naturally have a similar split. Yet a recent SANS survey found that, when asked how their budgets were divided up between malicious and accidental threats, 56% of respondents did not even know what the split was!
There are a few ways to calculate the amount of budget that should be allocated to various threat types, like the insider threat. The first is to research security trends, both globally and within your industry or sector. The second is to look at your own business’s history with threats. (Though it is important to note that a lack of visibility to certain threat vectors is in itself a problem!)
Ideally, organizations should take both types of data into account when building out their cybersecurity budgets.
-
Study What Effective Insider Threat Tools Look Like
Many cybersecurity tools on the market claim that they can help organizations manage insider threats, but this is often not the case.
Tools like Data Loss Prevention software (DLPs), as one example, may require so much set-up and overhead that they become unwieldy over the long haul and often fail to detect threats in real time. Other tools that purport to help with insider threat but often fall short include:
1. Privileged Access Management (PAM)
2. User Activity Monitoring (UAM)
3. User Behavior Analytics (UBA)
4. Security Information and Event Management systems (SIEM)You can’t include insider threat management into your budget in a realistic, tangible way if you don’t know what tools will really work to catch and defend against this type of threat.
It’s a good idea to spend some time figuring out what tools you need to add to your arsenal to effectively prevent insider threats at your unique organization before you sign off on that security budget. -
Understand the Security Cost Centers
What exactly should go into a cybersecurity budget, particularly to prevent and contain insider threats? The Ponemon Institute’s Cost of Insider Threats report contains an example activity cost center across three different types of incidents:
1. Employee or contractor negligence
2. Criminal/malicious insider
3. Credential theftTo decrease your liability in the event of these types of threats, your budget should address all of the following:
1. Monitoring and surveillance
2. Insider threat investigation
3. Escalation
4. Incident response
5. Containment
6. Ex-post response
7. RemediationIn our Guide to Budgeting for Insider Threat Management, we cover what each of these cost centers entails and also look at their average costs. You might be surprised by the numbers! (And if so, it’s a good indication you may need to go over your budget one more time.)
-
Account for Extraneous/Unexpected Costs
Many of the largest costs that can be incurred in the event of an insider threat incident fall outside of the immediate incident-related cost centers. Especially if you operate in parts of the world where privacy and security regulations necessitate detailed record-keeping and disclosures—and may result in fines in the event of a breach—you need to take legal and regulatory costs into account as well.
For example, the European Union’s updated General Data Protection Regulation (GDPR) gives regulators the authority to fine organizations up to 2% of their global annual turnover for failures relating to a breach, and up to 4% if an organization significantly mishandles the response.
While you don’t necessarily need to budget this amount and set it aside, you may want to consider how the costs of prevention would weigh against the costs of a breach if one were to happen and make your budgetary decisions with this in mind.
For more details on how to build a realistic and effective cybersecurity budget that includes insider threat management, download our free guide:
Subscribe to the Proofpoint Blog