Close Menu
  • News
  • Home
  • In Profile
  • Finance
  • Legal
  • Technology
  • Events
  • Features
  • Wellbeing & Mental Health
  • Marketing
  • HR & Recruitment
  • About
  • Advertise
  • Events Calendar
  • Business Wall
  • Subscribe
  • Contact
  • 0843 289 4634
X (Twitter) LinkedIn YouTube
Trending
  • Worldline is first in Europe to bring Click to Pay to recurring payments
  • Is It Too Hot to Work? High Temperatures and the Workplace
  • Why weak passwords are a bigger business risk than you think
  • Fair Work Agency urges SMEs to self-report employment law mistakes before inspections
  • How To Prepare Your Business For A Commercial Remortgage – And Avoid Costly Delays
  • Balance sheets & big dreams – how young entrepreneurs are building their financial confidence
  • Your business is growing. Is your operating model keeping up?
  • 60% of SMEs would accept more EU regulation for closer trade ties
X (Twitter) LinkedIn YouTube
SME Today
  • About
  • Advertise
  • Events Calendar
  • Business Wall
  • Subscribe
  • Contact
  • 0843 289 4634
  • News
  • Home
  • In Profile
  • Finance
  • Legal
  • Technology
  • Events
  • Features
  • Wellbeing
  • Marketing
  • HR & Recruitment
  • Travel
SME Today
  • About
  • Advertise
  • Events Calendar
  • Business Wall
  • Subscribe
  • Contact
  • 0843 289 4634
  • Twitter
  • LinkedIn
  • YouTube
  • RSS
You are at:Home»Technology»Getting a Return on Cybersecurity Investment
cyber security

Getting a Return on Cybersecurity Investment

0
Posted By sme-admin on October 8, 2024 Technology

Can Businesses Really Put a Price on Prevention? Frank Horenberg, Zivver’s Head of IT, and Simon Newman, Co-Founder of Cyber London, do a deep dive on the issue of investment in cybersecurity tools

How do you measure what you cannot see? This is the conundrum facing countless businesses as they grapple with the current cybersecurity landscape. Too often the real value of a cybersecurity tool isn’t realised until a business becomes the victim of a data leak or breach. A successful cyberattack is also the moment when many businesses finally realise that their cybersecurity solutions aren’t up to par, or that they’re lacking focus in a specific area.

This retroactive approach to cybersecurity is extremely damaging to businesses, so much so that it has prompted the UK government to consider mandating specific cybersecurity objectives for private companies to keep their data and employees safe. Those mandates are yet to materialise, but in 2024 the government did progress its Cyber Governance Code of Practice to help business boards shore up their cyber resilience. Similar efforts are being seen internationally. In the European Union (EU), the updated NIS2 Directive now imposes stricter cybersecurity requirements across industries, requiring companies to report incidents and implement measures to mitigate risks. Meanwhile, the US Securities and Exchange Commission (SEC) has introduced rules obligating publicly traded companies to disclose incidents in a bid to enhance transparency and accountability.

The problem businesses are facing is twofold: How do you select and measure the return on investment of cybersecurity tools, and how do you get buy-in at every level of the business to ensure that cybersecurity is more than just an afterthought?

According to Simon, the cybersecurity marketplace is a confusing area for businesses. There are more than 5.5 million businesses in the UK, and around 99% of those businesses are classed as SMEs. Among those SMEs, 90% are “microbusinesses” or sole traders. While small businesses and start-ups might have the drive, ambition and agility to move quickly and respond to market demands, they almost always lack the knowledge and experience to effectively implement cybersecurity solutions that align with their objectives.

In a 2024 survey, Zivver asked 250 security decision makers about their primary security challenges. Nearly half (47%) said they found it difficult to keep up with data security technologies, more than one-third (39%) cited regulation and compliance as a key concern, and 36% said they were concerned about a lack of security awareness and understanding among employees. This is troubling, particularly when you consider the sheer number of applications, end-points, and distributed workers that businesses now typically deal with. According to one report, more than 50% of employees have seen the number of collaboration tools in their company increase in the last two years – that opens the door to a lot of potential threat vectors, particularly where outbound threats such as data leaks and human error are concerned.

Outbound versus inbound threats

Measuring the return on investment for cybersecurity tools is complex, but at least where inbound threats are concerned – external threats where businesses are targeted or impacted – there are some useful KPIs that can be tracked. For instance, a business with integrated cybersecurity might be able to track how many threats were identified on their network in a given period of time and infer the effectiveness of their tools. As Simon Newman points out, there will still be challenges associated with communicating or “proving” these benefits to leaders in the boardroom, but it is easier to build a persuasive case.

That case is more difficult to make when it comes to measures closely associated with stopping outbound threats. Outbound threats refer to instances where sensitive data leaves the business in an unauthorised fashion. Sometimes this is purposeful, such as a disgruntled employee stealing or leaking data, but more often it’s accidental – an erroneously sent email, a laptop left unguarded, or a phishing scam orchestrated by a third party that tricks an employee into revealing sensitive information. To mitigate outbound threats, businesses need to consider things like employee awareness training, blocking untrusted domains, and intelligently filtering emails. It’s often much harder to gauge the efficacy of these measures, and too often businesses blame the human workers involved rather than the systems or cultures within the business.

Humans are both the strongest, and weakest, link

Frank argues that humans are really the last line of defence for an organisation. They can be easily scapegoated as a weak link, but with the right tools and training in place they can easily be turned into the strongest link in an organisation’s defensive chain. Bridging the gap between users and technology, Frank argues, is the real key to unlocking cybersecurity returns.

Take emails as a specific example. 80% of data leaks are caused by employee behaviour, where sensitive data is leaked, lost, or shared with unauthorised individuals. What’s more, two-thirds of organisations impacted by email-based data loss have to cease operations to mitigate the risk and remediate the threat. Organisations can train employees to spot phishing emails and put guidelines in place to ensure that data is only shared between authorised parties, but it’s almost impossible to gauge the ROI of these measures because their influence is qualitative rather than quantitative. But if that same organisation were to add a form of technology into the mix, such as automatic encryption or machine-learning algorithms that can detect sensitive content or attachments and provide a warning before emails are sent, the return on investment becomes clearer. This human-technology bridge can offer metrics such as how many emails are being sent with encrypted information, where potential breaches may be about to occur, and how compliant the company’s email protocols are with its overall security posture.

To Frank’s point, this technology can empower humans to become one of the strongest links in the defensive chain, and part of this empowerment is gaining visibility into key metrics so that the efficacy of their cybersecurity strategy can be more accurately measured.

Cybersecurity isn’t a box ticking exercise, it’s a culture

A big part of measuring the ROI of preventative cybersecurity is getting buy-in from leadership and the vendors themselves. Frank mentions the need for daily maintenance and validation to ensure that a solution is performing as promised and is still up to par. By asking vendors whether they are compliant with ISO 27001 (an international standard that outlines requirements for information security management), Frank argues that businesses are practically 80% there when it comes to selecting a suitable vendor.

Another key factor is business culture. According to Simon, too many businesses have a culture that punishes staff for clicking on a fraudulent link or falling victim to a phishing scam. Far from being productive, this only makes it less likely that staff will come forward when a mistake is made, leaving more time for damage to occur and less time for incident management and control. No amount of technology will fix this; it’s vital that businesses create a pro-people culture when it comes to cybersecurity if they are to see any kind of return on their cybersecurity investments. Organisations should create a baseline of transparency and trust, where employees feel safe in putting their hands up when they’ve made a mistake before they consider investing in supplementary tools to keep their data safe.

Frank adds that treating employees as a “risk that needs to be mitigated” is old-hat thinking. Employees shouldn’t be blocked from accessing key information or working efficiently under the guise of “good” security. Instead, IT leaders should pivot toward cybersecurity solutions that can keep data safe without disrupting workflows, monitoring the flow of information and ensuring those that need access have access.

Frank adds that viewing employees as a “risk that needs to be mitigated” is an outdated approach and can sometimes be more harmful to organisations. Employees shouldn’t be restricted from accessing key information or working efficiently under the guise of “good” security. Instead, IT leaders should adopt a right-sized approach to security, tailoring protections based on the specific needs and risks associated with each employee’s role. Moving away from ‘one-size-fits-all’ methodology will ensure that data remains secure without disrupting workflows. By monitoring the flow of information and ensuring that only those who need access have it, organisations can balance robust security with operational efficiency.

Register for the free webinar on October 10th at 14:30 BST/15:30 CEST/09:30 ET, in which Simon Newman and Frank Horenburg ask the question: Are your security tools really working? How to prove the ROI of your solutions. 

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Why weak passwords are a bigger business risk than you think

Starting a Tech Business, when you’re not a Tech Expert

The HR Admin Problem Nobody Talks About: Why SMEs Need Smarter Systems

Comments are closed.

Follow SME Today on Linkedin and share all the topics you find interesting
Porsch Reading – Find Your Perfect Business Partner
Mastermind9
Events Calendar
    July 9, 2026 8:30 am

    The AI Edge Masterclass

    November 26, 2026 10:00 am

    South West Expo Swindon

  • Marketing
June 25, 2026

How Brands Can Rank in AI Search Without Buying Ads

June 23, 2026

How To Market A Restaurant

  • Finance
July 3, 2026

Worldline is first in Europe to bring Click to Pay to recurring payments

July 2, 2026

How To Prepare Your Business For A Commercial Remortgage – And Avoid Costly Delays

  • People
June 20, 2026

It’s Award Season For The Fd Consultant!

April 9, 2026

PSA President Returns From Global Summit As UK Spring Conference Heads To Leeds

  • Health & Safety
June 29, 2026

Health & safety violations costing British firms £44m annually

March 16, 2026

Health & Safety Trends To Look Out For In 2026

  • Events
June 29, 2026

Great British Expos Postpones South West Expo Due to Extreme Heat Forecast

June 16, 2026

Why Every SME Needs an AI Strategy — Not Just AI Tools

  • Community
June 19, 2026

Founders charity dinner set to raise funds for epilepsy care

June 17, 2026

Award-Winning Charity Launches New Initiative To Connect Local Organisations

  • Food & Drink
June 23, 2026

How To Market A Restaurant

June 23, 2026

From Corporate Comfort to Cultural Opportunity: The Bunta Beer Journey

  • Books
June 2, 2026

Build a Business So Good You’d Be Mad to Sell It

January 21, 2026

The CEO Mirage: Exposing the hidden traps that take smart leaders down

The Newsletter

Join our mailing list for the best SME stories, handpicked and delivered direct to your inbox every two weeks!

Sign Up
About

SME Today is published by the same team who deliver The Great British Expos’. We have been organising various corporate events for the last 10 years, with a strong track record of producing well managed and attended business events across the UK.

Join Our Mailing List

Receive the latest news and updates from SMEToday.
Read our Latest Newsletter:


Sign Up
X (Twitter) YouTube LinkedIn
Categories
  • Books
  • Business
  • Community & Charity
  • Education and Training
  • Environment
  • Events
  • Features
  • Finance
  • Food and Drink
  • Health & Safety
  • HR & Recruitment
  • In Profile
  • Legal
  • Marketing
  • News
  • People
  • Property & Development
  • Sponsored Content
  • Technology
  • Transport, Travel & Tourism
  • Wellbeing & Mental Health
Magazine Information
  • About SME Today
  • Editorial Submission Guidelines
  • Advertising
  • Privacy
  • Contact
Copyright © 2025 SME Today.
  • About SME Today
  • Editorial Submission Guidelines
  • Advertising
  • Privacy
  • Contact

Type above and press Enter to search. Press Esc to cancel.

Subscribe Now!

Sign up for a FREE subscription and receive the latest news, features and updates from SMEToday:

I am interested in:
 

Thank you for subscribing to SME Today! We're thrilled to have you join our community. To complete your subscription, please check your email and click on the confirmation link. If you don’t see the email in your inbox, be sure to check your spam or junk folder. We look forward to sharing exciting news, updates, and exclusive content with you!

Join our mailing list to receive the latest news and updates from SMEToday
Read our Latest Newsletter: