Data Breach Prevention – 5 Ways to Get the Most Bang for Your Buck

Data Breach Prevention – 5 Ways to Get the Most Bang for Your Buck

Most companies struggle to find enough resources for proper data breach prevention. Here are five ways to stretch your limited security budget to get the most bang for the buck.

Data Breach Prevention -5 ways

As cyberattacks and data breaches escalate, many organizations risk substantial losses. According to the Cisco 2017 Annual Cybersecurity Report, over one-third of enterprises that experienced a breach in 2016 reported customer, opportunity, and revenue loss of more than 20 percent. Despite this, most security teams simply don’t have the resources to adequately protect their company’s sensitive data. It’s therefore critical to spend every dollar wisely and manage each resource to extract the maximum benefit possible. Sometimes even a small change can have a big impact on mitigating the risks to your organization.

Here are 5 techniques to help you leverage your cybersecurity budget.

1-Ensure All IT Projects Fund Their Own Security Needs

An efficient way to protect and extend your data breach prevention budget is to require that all new IT projects undergo a risk and security assessment before they are fully approved. Then build the security funding into each project.

Too many organizations fail to do this and the security department finds themselves responsible to protect an additional asset or service they hadn’t budgeted for. This is a sure setup for failure.

It’s critical that the company’s security leadership participates in all new projects to ensure that upper management understands the needed data breach controls and provides the necessary funding.  See Cybersecurity Slowly Making it to the Boardroom for more information about working with upper management.

2-Automatically Scale Your Data Breach Prevention Capabilities with Self-Learning Defense Systems

One of the most effective ways an organization can maximize their cybersecurity budget is to deploy today’s advanced, self-learning defense systems.  While nothing can fully replace talented security professionals, modern breach detection and prevention tools that incorporate machine learning will significantly lighten an analyst’s load.

Automatic, machine learning tools are self-learning, inexpensive, extremely quick, work 24×7 without tiring or complaining, and scale to meet the largest demands. These tools excel in many areas, including:

  • Filling in Talent Gaps: It’s difficult to find skilled cybersecurity professionals today. Advanced data breach prevention tools will significantly help.
  • Task Automation: Effective cybersecurity requires the analysis of extensive amounts of data. Machine learning is perfectly suited for automating these difficult and tedious tasks.
  • Anomaly Detection: Discovering an anomaly among terabytes of data is virtually impossible for human resources alone, but no match for machine learning based tools.
  • Anticipating a Hacker’s Next Move: When your company is under attack, knowing your assailant’s next move can protect you from a full-scale data breach—and machine learning is perfectly suited for this task. See Cyber Attack: What’s Your Assailant’s Next Move to learn more.

3-Leverage Free and Inexpensive Data Breach Prevention Tools

There’s no substitute for advanced data breach prevention products, and yes, such tools are expensive. However, to supplement the solutions you purchase, you can take advantage of free or inexpensive security tools and techniques. Here are some examples:

  • Application patching: Update and patch your systems. Make sure they have all their security hot fixes, patches and updates applied. It generally takes time but no money to do this.
  • Turn on multi-factor authentication wherever available: Most data breaches involve password theft. Many systems today include advanced authentication as an option and the benefits are profound.
  • Request employees to use different passwords for business and personal accounts: This simple and free policy will reduce your risk of a data breach and extend your security controls without impacting your budget.
  • Enforce Strong Passwords: If you can’t use multi-factor authentication, at least enforce strong passwords where possible. Poor password practices make it easy for hackers to get into a company’s network or email. Passwords that use a combination of numbers, symbols, upper and lower-case letters (such as 4@l45%Mr1#ar), or a phrase (RoundandRoundtheRuggedRock!) are much more difficult to break than commonly used passwords.
  • Write or update your security policies. It is tedious work, but will reduce your legal liability, provide structure for your security investments, and will save you money in the long run.
  • Security Awareness Training: Yes, you can spend a great deal on security awareness by bringing in outside pros to do it for you, but you can also do a lot on your own, and save a bundle of money. Turn employees into security assets with free training programs such as:
    • Hosting brown bag lunches with a security awareness theme
    • Offering webinars and other low-cost education opportunities
    • Posting security information in common areas
    • Distributing security tips to employees via e-mail or corporate intranet
    • Simulating phishing attacks (e.g., systems that periodically send phishing e-mail to staff and alert employees if they have engaged in an unsecure activity)
  • Use Free Security Services – examples include:
    • Have I been pawned – Will notify you if any of your email addresses are tied to a disclosed data breach (so you can change passwords and up monitoring levels).
    • Check the use of a brand or username on 160 social networks at CheckUserNames.
    • Aw Snap has tools for owners of hacked websites to help find malware and recover their site.
    • See a list of other free security tools at Wordfence.com.

4-Perform Effective Risk Assessments

Not spending anything on security isn’t an option – but throwing money at a problem without fully understanding the risks isn’t much better. A risk assessment – the process of identifying, analyzing and evaluating risk – is the only way to ensure that the data breach prevention controls you invest in are appropriate for the risks your organization faces.

Some may think a risk assessment is an unnecessary expense, when in fact it will help educate the executive team, assist in budget approval, and save your company money and time in the long run. However, it’s important to carefully manage and use good judgment when undergoing a risk assessment. Don’t let it over-consume your time or budget.

Conducting a risk assessment typically includes the following steps:

  • Identify and document asset vulnerabilities, particularly those that are likely targets such as IP, customer lists, PII
  • Identify and document internal and external threats
  • Acquire threat and vulnerability information from external sources
  • Identify potential business impacts and likelihoods
  • Determine enterprise risk by reviewing threats, vulnerabilities, likelihoods, and impacts
  • Identify and prioritize risk Responses

Without an appropriate risk assessment to guide your choices in data breach protection tools, you will waste time, effort and resources.  There is no reason to implement controls for events that are unlikely to occur, or that won’t materially impact your organization.  See our blog Spending is Up – But on Old Technologies that Don’t Work to learn more about inappropriate security purchases.

5-Defend and Increase Your Data Breach Prevention Budget

Receiving additional resources, and protecting your existing budget will only occur when security leaders clearly demonstrate the benefits of a larger budget. Though security funding has grown in recent years it can quickly revert to former amounts if not well defended.

Gartner’s publication How to Manager and Defend Your Security Budget outlines the following techniques and principles that security leaders must adopt if they are to successfully enhance their budgets.

  • Demonstrate to your peers your understanding of the needs of the business and your proficiency as a risk manager, and continually market the benefits of the security program and of your business focus.
  • Use a strong governance approach to inform and agree on priorities, and to develop realistic budget requirements.
  • The security leader must appear, in the eyes of their superiors, colleagues, and peers as someone keenly perceptive of business objectives as well as security and technical issues.
  • Security funding must create a balance between the priorities of protection and those of revenue growth and business development.

The current sensitivity of decision makers to security means security leaders have a willing audience open to supporting security initiatives. To convert this sensitivity into the approval of the best budget for the organization’s security, security officers must position themselves before their peers as business-skilled strategists who can balance the needs to protect with the needs to run the business.

The Bottom Line

Defending your organization from a data breach is and always will be a demanding and expensive task.  To be successful will require the maximum utilization of available security resources. Organizations need to use technology to extend the effectiveness of their security tools, and security leaders must proactively defend appropriate data breach prevention budgets.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing