As the incidence and severity of cyber crime continue to rise, it’s vital to put adequate measures in place to safeguard your systems, customer data and intellectual property. “How much should we be spending on cyber security?” has become a pivotal question for Australian professional services firms.

More than one in five Australians and just over one in 10 businesses have been victims of a cyber-attack, scam or data breach in the last 12 months alone, according to NAB’s April 2023 Cyber Security Attacks and Scams report. On average, Australians lost $569 while for SMEs the average loss was $19,400.

But, while it’s clear they have a great deal at stake, both professionally and reputationally, cost is not the first question partners and principals should seek to answer, according to Kristian Yench, Manager of Solutions Consultancy at technology services provider Tecala.

Rather, they should be asking themselves exactly what it is they need to protect, and why.

A data breach that sees sensitive customer information posted to the dark web, for example, could result in significant financial losses – think fines, costly reputational damage and client defection.

A ransomware attack, meanwhile, might cost a firm just as dearly, if its entire workforce were to be brought to a standstill, for a day or several. And if illicitly encrypted data can’t be recovered or restored, there’s a significant time cost associated with rebuilding case notes and files.

“The cyber conversation shouldn’t start with whether you need to buy antivirus software, for example, or a firewall – it’s around understanding where your firm’s ‘crown jewels’ sit and concentrating your energy and investment there,” Yench says.

Take stock of your position

Globally, companies on average currently devote around 12 per cent of their ICT budgets to cyber security, but firms that haven’t prioritised it to date might need to invest more on an ‘uplift’, according to Kurt Hansen, the CEO of listed cyber security provider Tesserent.

Many Australian businesses, professional services firms included, may find themselves at the back of the pack: just four in 10 SMEs believed they were being very vigilant regarding their cyber security, and around 15 per cent felt they were doing poorly, according to NAB’s April research. What’s more, according to NAB’s latest report released in September, only 15 per cent of SMEs overall said they conducted “extensive” training and 40% did “not much” training” at all.

NAB’s data also shows around one in three Australians feel powerless and vulnerable in the face of cyber-risk and were finding it difficult to trust.

Getting on the front foot is the best way to deal with those concerns. Hansen recommends you commission a comprehensive risk assessment and let that drive your budget.

“As part of that process, we’d do a gap assessment to see where you are compared with your peers, looking at what’s in place and what should be in place,” he says.

Depending on the size and complexity of your operations, the cost of a report will vary. For firms with 50 to 100 staff, a detailed report may cost upwards of $10,000.

Counting the cost

While requirements and budgets vary considerably, a professional services firm with 100 employees should expect to outlay between $3000 and $10,000 a month on cyber technology and services, Yench estimates.

Most professional services firms will invest in cyber technology services such as identity and access management technology, endpoint and email security, network protection and monitoring services, he says.

If not already in place, fundamental ‘cyber hygiene’ measures – multi-factor authentication, password rolling policies, encryption of staff workstations and mobile devices, regular data back-ups and back-up testing, and centralised device management – are high impact and can be deployed quickly and economically.

Regular employee awareness training should also be included in the budget. It can prevent staff falling victim to phishing attempts, invoice fraud and other email-based scams.

Staying ahead of the threats

The cyber threat landscape is constantly evolving, so commissioning a formal cyber assessment at least annually will determine whether the protective measures you have in place remain sufficient. Investing in a cyber response plan, meanwhile, can help a firm react decisively and appropriately in the event of an incident.

As they become more cyber mature, firms may look to adopt more sophisticated processes and programs, such as vulnerability scanning, penetration testing, centralised log management and data loss prevention.

With cyber professionals in chronically short supply, all but the very largest firms may find partnering with an external security provider more cost-effective than managing cyber programs and processes in-house.

Making smart investments

Cyber security costs are non-linear and it’s important to validate the value your firm will get out of each of the cyber investment decisions it makes, Yench says.

“Typically, you can cover the first 90 per cent of risks with the first 50 per cent of your investment and then you’ll have diminishing returns on the last 10 per cent,” he says.

There’s no point spending money on things that aren’t an issue for you, Hansen adds. “Smart cyber management is about being aware of the specific risks your firm faces and, to the extent you can afford it, investing as much as you possibly can in managing those risks.”

To find out more about how NAB can help you protect yourself and your business from cybercrime, visit nab.com.au/cybersecurity