Cybersecurity budgets: The delicate balance of spending money to save money

The bigger the potential gain, the bolder cyber attackers become at finding creative ways to intercept payments or hack into company systems. EPA/RITCHIE B. TONGO

The bigger the potential gain, the bolder cyber attackers become at finding creative ways to intercept payments or hack into company systems. EPA/RITCHIE B. TONGO

Published Apr 10, 2023

Share

Allocating sufficient budget to cyber threats can be a complex issue that requires the cooperation and coordination of all executives within an organisation.

When a company’s financial and reputational welfare is at stake, it pays to effectively calculate the priority such risks should be awarded during budgeting, says Ryan Mer CEO at eftsure Africa, a Know Your Payee™ (KYP) platform provider.

For CFOs, it’s not a question of whether a cybersecurity budget should be in place, but rather how much is enough.

The bigger the potential gain, the bolder cyber attackers become at finding creative ways to intercept payments or hack into company systems.

Business email compromise (BEC) remains one of the most significant threats, intercepting invoices from suppliers and diverting payments by creating fraudulent bank accounts is another way hackers make quick financial wins. CIOs and CTOs may be the experts on your IT and internal technical processes but may not have the expertise, or the time, continuously to track the latest techniques being used by cybercriminals.

In setting cybersecurity spend, the risk of inadequate protection should be weighed against the financial and reputational consequences of becoming a victim of cybercrime.

Factors determining cybersecurity spending

There are several issues to take into consideration when budget setting to cover cybersecurity risks. The nature of your company is a determinant of the level of risk you face (though no single operation is immune). Securing your organisation’s financial processes is an important starting point as the most valuable company data is usually related to its finances, which places a high degree of responsibility on CFOs, controllers, and other financial staff.

Financial workers can and should have an important voice alongside the company’s IT department, helping to devise a cybersecurity plan that addresses areas of concern, including issues related to payment fraud. Staff training on issues around cybersecurity including awareness around Business Email Compromise (BEC) should be ongoing and must be included in overall cybersecurity budgets.

How cyber risk averse or risk tolerant are you?

Ultimately, cybersecurity is as much a business strategy issue as it is a technical one and the decision on how much to allocate to your cybersecurity budget must be taken with the overall financial and reputational health of the company in mind. This means involving the entire executive team in decisions around budgets. Cybersecurity awareness should come from the top and how it’s managed should be thoughtfully considered on an ongoing basis given the rapid increase of common attacks like malware, phishing and BEC.

Inhouse or outsourced cybersecurity?

Keeping the management of cybersecurity in-house limits spending, which means heads of IT are responsible for keeping on top of ever-evolving risks. Fixing an amount in this way, however, does not take into account the ever-changing risk environment and may result in the IT department coming back, again and again, to request additional amounts to cover additional unanticipated risks. Engaging with cybersecurity consultants is worthwhile to give an expert external perspective on your organisation’s risk posture and how to address potential gaps. Software upgrades should play a pivotal role in an organisation’s cybersecurity controls, regardless of whether managed internally or via cybersecurity consultants.

Managing risks and security within an organisation becomes everyone’s responsibility given the ways modern businesses and processes are interconnected. Senior management can provide training to other staff to ensure awareness, education and compliance with procedures, while also enlisting the services of external cybersecurity experts to bolster efforts from time to time.

Protecting your organisation’s financial processes

A solution like eftsure protects your financial processes which are the most vulnerable, to mitigate against payment fraud.

Placing your company, suppliers and customers at risk simply isn’t worth, well…the risk and taking a realistic look at all the systems that comprise the entire value chain of your operations is necessary when it comes to deciding budget limits. There are also massive efficiencies to be gained by automating and digitising financial processes which almost immediately have a positive impact on a company’s bottom line.

What is not in dispute is the need for companies to address the issue head-on and recognise that the threat is real, requiring budgetary expenditure commensurate a company’s risk profile.

BUSINESS REPORT