Where should a company's first cybersecurity budget be invested?

When most companies implement cybersecurity measures, their initial cybersecurity budget is often prioritized for firewalls, antivirus software, and backup systems. This choice is quite common among Taiwanese companies, reflecting their intuitive understanding and practical consideration of cybersecurity risks.

Faced with tens of thousands of cyberattacks, malware, and ransomware threats every day, businesses will naturally prioritize cybersecurity tools that can "immediately block hackers." This decision itself is not wrong, but if a cybersecurity strategy only stays at this level, the real risks to the business have not yet been fully addressed.

Firewalls, antivirus, and backups: essential foundations for enterprise cybersecurity, but not the whole answer.

Firewalls, antivirus protection, and backups address external attacks and system recovery issues , forming an indispensable foundation for cybersecurity.

These tools have become the preferred choice for cybersecurity investments primarily for the following reasons:

• It can effectively block cyberattacks from the outside.

• Results can be quantified and reported, making it easy for management to understand.

• This aligns with most companies' existing understanding that "cybersecurity is simply hacking prevention."

Therefore, from the perspectives of compliance, auditing, and risk disclosure, these investments are highly reasonable.

Why are most major cybersecurity incidents still related to "internal risks"?

However, real-world cases show that many data breaches and corporate secret leaks do not stem from firewalls being breached, but rather from errors or misuse of legitimate access .

Common scenarios include:

• Excessive internal account privileges allow for extensive data access.

• Employees mistransmit or privately retain sensitive information

• Outsourcing or partnering to obtain information beyond what is necessary.

• The system privileges were not revoked in a timely manner during the resignation or transfer process.

In these situations, antivirus software won't issue warnings, firewalls won't block it, and backups can't prevent data from leaking. This is precisely the limitation of traditional cybersecurity tools.

Why do companies know that data is important, yet delay data governance?

For many companies, data and internal security risks are often categorized as "important but not urgent" issues for reasons including:

First, the economic losses from data breaches are often hidden , and may not be reflected in orders, goodwill, or customer trust until months later. Second, data governance involves cross-departmental collaboration , making it difficult to concentrate responsibility on a single unit. Third, investment results are not easily quantifiable , and it is difficult to explain the effectiveness to senior management with simple metrics.

Therefore, companies often prioritize investing in protective equipment that can immediately reduce visible risks.

A mature cybersecurity strategy requires both basic defenses and internal governance; neither can be neglected.

Mature companies don't approach cybersecurity by choosing between "anti-hacking" and "data governance," but rather clearly differentiate between layers:

• First layer: Basic cybersecurity protection

  
  

  Firewalls, antivirus protection, and backups are used to reduce the risk of external attacks and operational disruptions.

• Second layer: Data and internal cybersecurity governance

  
  

  It includes data inventory, access control, and behavioral traceability to prevent data leaks and internal risks from spiraling out of control.

This is why cybersecurity management standards such as ISO 27001 require both technical controls and institutionalized management. When companies are willing to establish robust data governance mechanisms before risks materialize, cybersecurity truly becomes the foundation for supporting operations and growth, rather than a costly endeavor for post-incident remediation.