3 Things To Know When Investing in Cyber Security Services

Investing in cyber security services can be a daunting task for small to medium businesses (SMBs). The increasing threats coupled with a complete lack of understanding as to what to do, makes the task seem impossible.

No doubt there are plenty of experts in the form of Managed Service Providers (MSPs) that can advise you. The challenge however, is that these engagements can be equally confusing to leaders of SMBs.

So what should you do?

The first thing you should realise is that any investment into cyber security services should be business led, not technology led. With this in mind, there are 3 key things you should know before signing up your SMB to new products & services.

1. Know the Value of your Data

In many ways this concept is no different to traditional security. If you were looking at protecting a building you would start with the value of the contents. Likewise, cyber security discussion should start with the value of your data.

When considering your data's value, you need to keep a few things in mind. Your data may not be worth much on the open market, but it is valuable to you. Be sure to consider:

• What is the value of access to your data? If you couldn't access your systems for a day or so; could you operate? would you lose sales, production or even some clients?
• Could you recover from significant data loss? It's reported that some 60% of SMBs go out of business within 6 months of a significant data breach. Consider your operational impacts if you were to lose all of your working files & records. (see also: preventing data loss)
• Do you process a high volume of transactions in a day? Businesses with high transactions are impacted far worse in the event of losing a days worth of data when restoring from backup.
• What reputational damage would you suffer from a data breach? Given the legal requirement of reporting a breach, many businesses lose clients as a result of reputation damage.

Understanding the value of what you stand to lose in a significant cyber breach is the first waypoint in identifying the best path forward. The amount of money you invest in cyber security services should be relative to your risk.

2. Know Where you are Vulnerable

Every business has unique strengths and weaknesses. Given that no SMB has the resources to do everything by the book, priority should be given to the areas most vulnerable.

As an example, a business with significant IP or sensitive information may need to prioritise encryption, network protection and user access controls. Likewise, a manufacturer with high transactions and tight turnaround times may need to prioritise recoverability above all else.

Your weaknesses are not defined by technical capabilities & hardware. Rather, they are the critical functions of your business that deliver value to your clients. If you have delivery guarantees, you have a vulnerability in productivity. If you have clients that require levels of assurance around your data management, you have a vulnerability in compliance.

Knowing the top 2-3 things that could negatively impact your business operations is key to knowing how to effectively invest in cyber security services.

3. Know your Requirements

There has been a growing list of requirements on SMBs and their data management in recent years. Commonly this has been related to two major factors:

1. Insurance - Cyber insurance in particular has an ever raising bar regarding compliance to not only obtain, but to retain cover. An estimated 42% of all cyber claims in 2022 failed to cover all losses. In many cases, businesses were denied payouts due to non-compliance of their policy.
2. Supply Chain - Major data breaches such as Optus and Medibank in 2022 have led all major corporates to review the data security of not just themselves but their supply chain. This is putting undue pressure on SMBs to comply with various cyber security measures in order to retain their business and sign new agreements.

If your business is beginning to be effected by the changing tides, this should be factored into your spending. Many requirements being pushed to SMBs can take several months or even years to implement. You don't want to end up in a position of being unable to sign new revenue due to poor cyber security practices.

Putting it All Together

The combination of these 3 'knows' should inform an appropriate level of spend for your business. There is a sweet spot in spend when it comes to cyber security products & services that differs from business to business.

Spending too little results in little to no measurable benefit. Likewise spending too much has diminishing returns and is better spent elsewhere. Finding this sweet spot often proves to be the most difficult aspect for SMBs.

Once you have determined an appropriate level of investment, the next major component is understanding how to best allocate those resources. As discussed above, understanding your businesses vulnerabilities is key.

An effective cyber security strategy understands risk, priorities, and distributes efforts for maximum effect. You don't have to do everything at 100%, but you should weigh investment towards the areas most important to you.

Summary

Putting the above into action can be easier said than done. It can be hard for SMBs to correctly evaluate the value of data and vulnerabilities in the business.

We have significant experience in having these exact conversations. If you're concerned about cyber security in your business, but are not comfortable having this conversation internally or with your existing MSP, consider giving us a call.

Alternatively, you can book a chat directly with us at a time that suits you to learn more.