Cyber crime

Cyber Security Budget: Do You Have the Balance Right?

Niek Dekker
4 Min

You know the feeling.

An email arrives from your CISO or CTO with a request to approve payments for a suite of cryptic line-items. SIEM, SOAR, XDR. What is it with techies and acronyms?

And whilst you’re not expected to be an expert on all aspects of cyber technology, as a modern CFO, you do need to have a general awareness of what’s being purchased, so you can ensure your organisation’s finances are not being misappropriated.

It also pays to have a general understanding of the cyber threat landscape, so you can speak with confidence when it comes to internal budget-setting discussions.

After all, how do you know whether you have an appropriate budget that mitigates the broad range of risks your organisation actually faces?

As experts in their field, you will inevitably be guided by the recommendations of your CISO and CTO. However, they may also have a narrow view of the types of threats confronting your organisation. By bringing an outsider’s perspective to the table, you have an important role to play in ensuring other significant threats are not overlooked.

Embrace a flexible approach to cyber security budgeting

Cyber-crime is constantly adapting. To keep ahead of the cyber-criminals, organisations must be agile. They must be able to pivot to embrace new strategies and new technologies whenever necessary.

The traditional approach would see an organisation set a fixed annual cyber security budget, and then leave it to the experts, typically the CISO or CTO, to determine which specific technologies should be acquired with that budget.

The problem with this approach is that it fails to consider the actual threat landscape during the budget-setting process. If your goal is to stop the threats your organisation is most likely to confront, and those threats are constantly changing, then it makes sense to have a flexible approach to the budget, which allows you to adjust spending as needed.

Just because your organisation’s normal approach to budgeting would see you increase cyber security expenditure by 5% annually, does not mean this default approach would be the right approach when it comes to stopping cyber-crime.

You may need to spend more. You may need to spend less. Either way, as the CFO, you should always keep an open mind and question the assumptions about what threats are most likely.

Budget constraints demands prioritisation

No organisation has unlimited resources.

Cyber-security expenditure must be prioritised to focus on the most significant, and most likely, threats. In a recent report, 84% of large Australian organisations reported an increase in cyber technology expenditure. Despite this, 81% of respondents reported that “staying ahead of attackers” is a constant battle and the costs are unsustainable.

The organisations that succeed in mitigating the threats they face typically have close cooperation and coordination between the CISO/CTO and other executives, such as the CEO and CFO. With open communications and breaking down of internal silos, it is possible to achieve a 360-degree view of the risks the organisation faces. This allows the organisation to effectively prioritise by investing the right amount of funding, and ensure it is directed in the appropriate ways, in order to provide the best possible security outcomes.

Cyber resilience isn’t always about increased expenditure. It is also critical that funds are spent in the right ways – targeting the most likely risks.

For example, many organisations are focused on preventing ransomware attacks. Ransomware incidents receive widespread news coverage which may result in a perception that such an attack is highly likely. However, the reality is that reports of ransomware attacks remain far lower than other types of attacks, notably Business Email Compromise (BEC).

In the latest Annual Cyber Threat Report prepared by the Australian Cyber Security Centre (ACSC), there were nearly 500 reported incidents of ransomware. However, during the same period, there were over 4,600 reports of BEC attacks. Despite reported BEC incidents being nearly 10 times greater than reported ransomware incidents, many organisations fail to invest adequately in ensuring they have systems in place to reduce the risk of falling victim to BEC.

One possible explanation for this lack of focus on BEC, despite it apparently representing a far more likely threat than ransomware, is that it mostly impacts finance departments. As a result, many CISOs and CTOs may not focus on it as an urgent threat that needs mitigating.

How can Eftsure help?

With Eftsure sitting on top of your accounting processes, you can effectively mitigate the risk of BEC, one of the most highly prevalent cyber-attack vectors impacting Australian organisations.

Eftsure ensures that suspicious outgoing payments will be flagged with a red thumb in real-time immediately prior to processing funds, significantly reducing your exposure to the severe financial losses that often result from a BEC incident.

As your organisation’s CFO, with responsibility for securing its financial assets, it is critical that you maintain open communications with the CISO and CTO to ensure that appropriate budgets are allocated to acquire the technologies that help reduce your exposure to the most likely risks, such as BEC.

Contact Eftsure today to strengthen your organisation’s resilience against the most common types of cyber-attacks.


2022 Cyber Security Guide for CFOs
Everything the modern CFO needs to know about cyber security so you can ensure your organisation remains resilient in the face of growing cyber threats.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.