Limited budget – How should you spend it?
With headlines such as Hackers Turn Their Gaze On Vulnerable Smaller Companies and Top Tips for Better Security for SMEs, it’s no surprise that maximising your security budget is critical if you want to succeed as a small business. However, if you have a limited budget to dedicate to security, how should you spend it? Should you:
- protect your key assets, or
- thinly spread your budget over an array of various assets?
Lets explore the options
Option 1
If we look at option 1 – protecting your key assets. There are two obvious benefits to spending your allotted budget on protecting key assets. Firstly, it ensures that your business has a higher chance of survival should something go wrong. The Centre for the Protection of National Infrastructure (CPNI) advises that you “identify which assets are critical to your business success, competitive advantage and continuing operation.” These will typically include “people, products, services, processes, premises and information.”
There is a second obvious benefit to protecting your most critical assets. It is that you are more likely to meet legislation and compliance. However, putting all of your eggs in one basket is often risky. It leaves unsecured assets more vulnerable to attack. For starters, your key assets have to be accessed by something, aka a system outside of their immediate protection.
If someone tries to hack your key assets, they may try and access them through a web of systems that you have failed to secure. Do you know what systems have access to your critical assets? For example, the CPNI suggests that you look beyond your organisation to suppliers and contractors. They argue that you should “establish a full and accurate picture of the impact on your company’s reputation, share price or existence if sensitive internal or customer information were to be stolen.” Wherever the data goes, those points need to be protected also.
However, by not spending money on employee knowledge, you leave yourself vulnerable to be compromised by the “small” stuff. Considering employee error accounts for most security incidents (see here), you may want to think twice before you decide to skip over spending any money on user security awareness training and physical security controls.
Option 2
If you decide to go with option 2 and thinly spread your budget across many areas, there are obvious benefits. These include the feeling of being more secure by having all of the ground covered (at least at a baseline level). However, this basic level may be not be sophisticated enough to pick up the more complex security attacks and hacks. Additionally, you may not be fully investing in the best areas. You may not have fully assessed the risk of each area.
We suggest you spend some time mapping out where your assets are and any attack paths. Check whether your data is segregated and isolated properly and see whether they have adequate security controls applied. In the end, whatever option you choose, it all comes down to your risk appetite and what kind of data you’ve got to protect.