How to Know If Your Cybersecurity Spending Is Actually Working

You have approved spending on cybersecurity. Antivirus software, maybe a firewall, staff training, backups. And then someone asks you: what are we actually getting for that? It is a fair question, and most business owners find it surprisingly hard to answer.

The problem is that cybersecurity spending does not produce a visible result when it works. You do not see the attack that was stopped, the breach that did not happen, or the ransom demand that never arrived. You just see a monthly cost and hope it is doing something. That makes it hard to know whether you are well protected or just spending money and assuming you are.

This matters more than it might seem. If you cannot tell whether your security measures are working, you also cannot tell when they stop working. A staff member clicks a phishing link. An old system goes unpatched. A former employee's login still has access. None of these show up on a bank statement. They only show up when something goes wrong.

There are a handful of things worth tracking if you want a clearer picture. How quickly can your business detect and respond to a security incident? How many phishing attempts are being caught before they reach staff, and how many are getting through? Are your backups being tested, or just assumed to be working? Are former staff accounts being closed promptly? These are not abstract IT metrics. They are indicators of whether your business is genuinely protected or just nominally covered.

Compliance is worth thinking about too. Under the NZ Privacy Act 2020, businesses that hold personal information have real obligations around how that information is protected and what happens if it is compromised. A breach that triggers a mandatory report to the Privacy Commissioner is not just an IT problem - it is a business and reputational one. Knowing your controls are actually in place is not just good practice, it is part of managing your legal exposure around cybersecurity.

When managed IT support is set up properly, you should be getting regular reporting that tells you something useful. Not a stack of technical logs, but a plain summary: what threats were blocked, whether your backups completed successfully, whether any accounts or devices are flagged as a risk. If your current IT support cannot give you that, it is worth asking why.

The starting point is knowing where you actually stand. Most businesses operating without a clear picture of their security posture are not taking an informed risk - they just have not had anyone walk them through it. A straightforward review of what you have in place, what is missing, and what the gaps could cost you is often all it takes to make good decisions from there. CERT NZ's guidance for small businesses is a useful reference for understanding what baseline protections matter most. Many of the most common gaps are also covered in why most breaches are entirely preventable.

ITstuffed works with professional services businesses in Canterbury to give them a clear read on where they stand. If you want that picture for your business, book a free 15-minute IT Fit Check and we can start there.