Communicating security concerns, policy changes and required investment in cyber to executives is arguably one of the toughest challenges that security professionals face. IT and security departments are can be perceived as cost centres, as they don’t directly generate revenue. This perception makes it difficult to convince boards, who won’t all have in-depth technical knowledge, to invest in the tools necessary to protect your organisation. Yet, without these investments, businesses risk exposure to severe financial, reputational, and operational damage.
The priorities of a security team are to achieve an effective threat management posture that protects the business and prevents cyber incidents. As well as aligning security initiatives with wider organisational goals and complying with regulatory obligations. However, these risks often feel abstract or intangible, especially for organisations that have not yet experienced a breach. We believe that the key to securing buy-in for cyber security investments lies in framing the conversation in terms of business impact and risk management.
The Threat Landscape
Giving the board a holistic view of the threat landscape is essential to justifying cyber security investment. Cyber threats are constantly evolving and becoming more advanced, so the risk for businesses is continually growing.
Some of the threats that Red Helix sees as the most prominent going into 2025 are:
- Ransomware
Ransomware remains a prominent cyber threat, with many victims reportedly being SME businesses. These attacks are not only costly, often involving significant pay outs, but also difficult to recover from if you do not have adequate back-ups. - Supply chain attacks
Organisations are becoming increasingly connected via third party operations, which increases the risk of supply chain attacks and vulnerabilities. Supply chain attacks can be extremely sophisticated, and hard to detect, especially if they are originating from a network that you do not have visibility of. - AI powered attacks
Going into 2025, we expect to see AI come into full use by cyber criminals. AI has already facilitated better written communications in foreign languages for phishing emails, making them harder to detect. Generative AI has also meant that there is an increasing volume of convincing impersonations in phishing and vishing communications, that have the capabilities to trick voice recognition systems.
Cost of Doing Nothing
One of the most compelling arguments for investing in cyber is calculating the cost of doing nothing. The average cost of a cyber incident is reported to be £3.4 million, and while cyber insurance may cover some of these losses, insurers often take time to pay out. Without immediate funds to address a breach, businesses could face severe cash flow issues or even closure before relief arrives.
In addition to direct financial losses, regulatory non-compliance is about to be supercharged. With the enforcement of regulations like DORA (Digital Operations Resilience Act) and NIST2 (Network and Information Systems Directive) coming into effect in 2025, significant fines are expected to follow.
The fines under DORA vary based on the severity of the violation and the organisations level of cooperation with authorities. Penalties can include personal liability for the individual responsible for security, with fines reaching up to €1,000,000. Additionally, the companies face substantial financial repercussions—a fine of 1% of average daily global turnover can be imposed , until compliance is met.
Network and Information Security (NIS2) regulatory fines operate similarly with administrative fines of up to €10 million or 2% of a company’s annual revenue, whichever is greater, for non-compliance.
These fines make it easier to explain to boards the risks they are taking in terms of monetary value to the business by not appropriately and proportionately investing in cyber security. It’s important to convey that the magnitude of the fine will be proportional to the efforts made and the company’s commitment to cyber security. It is not about ensuring no breach occurs ever, but about demonstrating a commitment to incremental improvements and investing appropriately to control the risk.
Prioritising Limited Spend
To prioritise a limited budget effectively, identifying the biggest threats to your business is the best place to start. These may be the threats listed above or threats specific to your sector, such as vulnerabilities related to personal data or financial records.
Once the key threats are identified, analyse the vulnerabilities they exploit. For example, ransomware might target weaknesses like a lack of backups or unencrypted data, while phishing could exploit insufficient staff awareness or poor reporting processes.
By tracing each threat back to the underlying vulnerabilities, you can determine where to focus your budget for maximum impact. Prioritising the vulnerabilities that are most likely to be exploited ensures that your resources are allocated where they are needed most. Tools like CrowdStrike can identify your main vulnerabilities and the likelihood of that vulnerability being exploited for you, with their EDR (Endpoint Detection Response) technology. This is often a very good place to start if you are wanting to make data-driven decisions. Alternatively, you can reach out to trusted experts like Red Helix. We are always happy to advise.
