Getting the most out of your security budget

We all know that small businesses are still going through a tough time, and that it is likely to be years before we see the end of the current crisis.

Real wages aren’t expected to get back to early-2022 levels until the end of 2027 and the typical energy bill this winter is still going to be significantly larger than before Russia’s invasion of Ukraine, for both businesses and households.

Cybercrime is also continuing to rise, with phishing attacks and scams increasingly targeted at people’s financial concerns. There are probably at least two reasons for the increase in cybercrime:

1/. More people are tempted to turn to the simpler forms of cybercrime (to make money)

2/. More people are likely to be in some degree of financial difficulty and therefore more likely to fall victim to scams and cleverly targeted phishing.

Things just aren’t going to get any easier, for individual households or for small businesses. And cybercrime isn’t going anywhere.

Cyber risks due to budget constraints

Tighter budgets can mean an increase in cyber risk, especially for smaller businesses. For example:

  1. You may be relying on outdated equipment such as mobiles or computers, just because you can’t yet justify the expenditure on new kit. The problem is that old kit goes out of support and/or can’t be upgraded—meaning that you don’t get the latest security upgrades.
  2. You may not be able to afford any paid-for training for your staff, such as security awareness training. This means that they may not have security issues top of mind as they go about their daily tasks.
  3. Deliberate insider threat might increase. Staff who are struggling financially may be tempted either to defraud the company or to receive a kickback from a criminal to provide them with access to your systems.
  4. Accidental insider threat might increase. Staff who are stretched too thinly because you have insufficient budget for another staff member may make an expensive security mistake—or may be less likely to notice an insider threat as they strive to complete their work.

Small business security on a tight budget

Make sure you have the basics in place to reduce risk

The basics: backups, strong passwords, malware protection, a process for regular updates of your software and security training for your staff. Most of these can be done for little or no extra cost.

Spend any IT budget you do have carefully

If buying something new, think about security needs as part of the specification upfront, rather than as an addon. Don’t forget about the need to replace outdated equipment or the cost of upgrades and check that you aren’t spending more than you need to reduce your cyber risk.

Free cyber security awareness resources are available online. Any search engine will come up with a variety of options, but do check out:

The NCSC also provides a free Early Warning service to get notifications of threats to your organisation.

Review your current suite of security tools, if any

It may be possible to find more cost-effective options than the ones you are currently using. In any case, check that the tools you do use, such as anti-malware, are set up to be as effective as possible. Don’t forget to change the default passwords on your kit if there are any.

Depending on the size of your business, you may have ended up with duplication of services or unnecessary services. If you’ve had to reduce your headcount, don’t forget to reduce the number of licences for software in parallel.

If you don’t have one already, create an asset inventory—don’t forget your cloud services—and assess whether any of the services itemised can be removed or consolidated. Don’t forget to think about cyber insurance too.

Be alert to the risk

Be aware of indications that your staff may be under additional pressure and educate all staff about:

  • the potential consequences of insider threats
  • what to watch out for
  • how to report any concerns
  • and, crucially, that there will be no adverse effect on the one reporting a potential problem.

 The NPSA has guidance on identifying and managing insider threats, and also offer free training modules covering insider risk.

By establishing a strong and positive security culture you may be able to reduce the insider risk in the first place or mitigate the risk by enabling other staff to report concerns. Again, the NCSC has guidance on this: You shape security – NCSC.GOV.UK

Contact us

And of course: consider our subscription service for a few hours of cyber security expertise every month for a low price. No need to add an entire person to your employee roster: use a few hours of our time to work on the security issues that are worrying you—including how best to use your security budget. Contact us on 0113 733 6230, or use our contact form, to have a chat about what you need and how we can help.