What to do with the last of your 2017 cyber security budget?

Late in the financial year, it can difficult to figure out the best way to spend what’s left over in the information security budget.

No one wants to leave money on the table, especially when it could significantly reduce your exposure to cyber risk. The problem is that for any experienced IT security lead, you know there are thousands of ways that money could be spent: training, new security software, hardware upgrades, policy or system reviews, etc

Any of of these elements could help reduce your risk exposure, but which one will give you the best return on your investment? How can you even measure its success? TBG Security experienced team pulled together a few expert suggestions to help you navigate the cybersecurity expenditure waters most efficiently and effectively.

Trying to address every single system weakness is a worthy goal, but it is virtually impossible. Today’s computer systems are increasingly complex. As their operators try to improve seamless availability to its users, they must also continually tighten up security against all types of attacks, let alone unauthorised visitors.

TBG Security experts recommends focusing on preventing catastrophic cyber attacks from impacting your organization. The majority of risks come from three key vectors:

External threats: Where a third-party, external attack agent attempts to breach your system security by either exploiting vulnerabilities. Typical attacks include ransomware, social engineering attacks, zero-day exploits and DDoSes.

Internal threats: Where users with authorised access to parts of the system compromise security by employing weak security practices, including poor passwords, ignoring security policies or creating unauthorised work arounds. While most employees have good intentions, disgruntled or vengeful employees can seriously compromise security.

Supply chain threats: Where third party business partners increase your exposure to cyber threats by not abiding to high security standards.

Here are TBG Security top four recommendations to help you mitigate against the most catastrophic of cyber threats, the ones that can cripple business continuity or severely dent your organisation’s reputation.


Risk Management frameworks, such as NIST framework standards, ISO 27001, or the SANS Top 20 Critical Security Controls, are designed to help you reduce your overall risk. The implementation of such frameworks is vastly simplified when an expert is brought in. Having on hand deep knowledge and experience means your security programmes will meet all the requirements and expectations of your chosen framework, so you can be certified and approved the first time around. Learn More


Third parties have proven to be a weak link in the cybersecurity chain—and bad actors are well aware. We’ve seen a dramatic uptick in the number of hackers targeting vulnerabilities in third parties in order to gain access to first-party networks and critical data. We recommend allocating a portion of your cybersecurity budget towards third-party risk management to mitigate this threat. Learn More


Some hackers rely on social engineering tactics, such as phishing (creating realistic looking emails that link to malicious content) to gain access to company networks. And any employees are not sufficiently trained to identify fraudulent cyber interactions, such as a dodgy targeted phishing email. Knowing what to look out for makes for a more resilient front line. Our recommended approach is bring in internal threat specialists to conduct a targeted phishing campaign to identify, and resolve, chinks in your defences. Learn More


External network penetration testing does provide increased confidence your network’s security posture, but many firms forget to conduct internal penetration tests, on network and applications for example. With insider threats being involved in the vast majority of data breaches, it is a cost-effective way to significantly reduce your exposure to cyber threats. Learn More

How TBG Security can help

If you would like more guidance for just would like to chat about next info security steps before the financial year end, get in touch. We are here to help. We pride ourselves in providing practical, expert and efficient advice.

TBG Security provides quality penetration tests and risk assessments tailored to your specific needs. Whether you are a governing body, a financial institution, an insurer, a legal or accountancy firm, or a online provider, we can help.

Get in touch. We can chat about your needs and help you figure out the best approach for you.

Previous ArticleGetting ahead of a new breed of Ransomware Next ArticleTakeaways from 2017’s worst cyber hacks, data leaks and breaches