Cybersecurity: Why You’re Spending in the Wrong Places

ByNeil Richardson 4 minute read
Calculator

Every so often a client asks:
“Do you offer DDoS testing?”

And my answer is usually the same:
“No. And you probably don’t need it.”

That tends to raise a few eyebrows. But I’m not being difficult. I’m saving you time and money from a pointless exercise that doesn’t get you any closer to being secure.

Because the truth is: any system can be taken down.

Give someone enough bandwidth, enough botnets, or enough time, and eventually your servers will buckle. That’s not a vulnerability, it’s physics. So why would you pay someone to prove the inevitable?

Let’s say we did agree to run a DDoS test. We flood your systems with traffic until they fall over. We show you that 100 million requests per second is your tipping point.

What have you actually gained?

You already knew there was a limit. (Everyone’s got one). You don’t need to see it to believe it.

Don’t Waste Budget Testing the Wrong Things

Most DDoS tests are done to tick a box, or because someone saw an article and panicked. 

Rarely are they followed up with meaningful changes, and often they don’t replicate what a real-world attack would look like anyway.

Worse still, if you’re in a cloud environment that scales automatically, a DDoS test can actually cost you more than the expense of the test itself. (Imagine your AWS infrastructure suddenly trying to scale to meet a simulated flood of fake users). 

You’ll rack up usage fees while learning… what? That you can be overwhelmed? You already knew that!

Everyone’s Vulnerable, So Focus on Resilience

As you now know, every system is vulnerable to a DDoS if you throw enough at it.

Ticketmaster expects it every year when Glastonbury tickets go live. And, that’s not even malicious traffic – it’s just millions of real people trying to access the same thing at once.

Their solution? Infrastructure built to absorb and reroute that volume.

For everyone else, the focus shouldn’t be on testing the limit, it should be on preventing the collapse.

Ask yourself:

  • What would the business impact be if your system was unreachable for 10 minutes? An hour? A day?
  • Are your systems designed to scale responsibly?
  • Do you have a mitigation layer between you and the attacker?
  • Are you paying for tools you’re not even using correctly?

Then work backwards from there.

What to Do Instead of Testing

If you’re genuinely worried about DDoS attacks, here’s where you should be focusing:

1. Use a Protective Layer Like Cloudflare

Services like Cloudflare (and others) act as a buffer between your application and the open internet. They’re built to absorb DDoS traffic and keep your actual servers breathing.

This isn’t about brand loyalty, you can shop around. The point is, you need something between your systems and the storm.

2. Consider Global Distribution

If your services run out of a single location, they’re inherently more fragile. Distributed hosting, across multiple data centres or cloud regions, adds resilience. If one location is overwhelmed, others pick up the slack.

It doesn’t make you invincible, but it gives you breathing room.

3. Know Your Cost of Downtime

What does an hour of downtime cost you? £1,000? £100,000?

If your revenue is significant and real-time availability is crucial, spending £100k a year on proper protection is entirely justified. But if you can afford a bit of disruption and don’t deal in high-risk sectors, that spend may be overkill.

Image 3 - cybersecurity: why you’re spending in the wrong places

Misplaced Spending Isn’t Just a DDoS Problem

DDoS is just one example. We see this misalignment of budget and benefit all the time.

Take phishing.

People assume they’re covered because they’ve got Microsoft 365 or a standard email filter. But here’s what usually happens:

  • The filtering rules are wrong or too basic.
  • There are no phishing simulations in place.
  • No one’s tracking who’s clicking malicious links.
  • And worst of all, the people who fall for it aren’t getting any follow-up training.

So you’ve technically ‘done something’, but in practice, it’s not helping.

Compare that to:

  • Proper anti-phishing configuration
  • Regular simulated phishing attacks
  • Face-to-face training 

Suddenly, you’ve got a layered, human-focused defence that actually changes behaviour.

Spending Money on the Right Problem

There’s a recurring theme here: too much spend on proving risk, not enough on reducing it.

Simulated DDoS attacks, flashy penetration reports, expensive dashboards – all of them feel productive, but they’re not always the right investment.

Instead, focus on:

  • Resilience over robustness
  • Strategy over showy tools
  • Human risk as much as technical

If your goal is to stay online and stay secure, spend your budget there.

What’s Next?

You don’t need a DDoS test to confirm what you already know: you’re vulnerable. So is everyone else.

So, what you do need is a plan for staying online when someone tries.

At Cyber Alchemy, we work with clients to right-size their cybersecurity spend. That means ditching the pointless tests and investing in real resilience, from DDoS mitigation to phishing defence and everything in between.

Want to stop wasting budget and start spending smart?

Contact us today.

Avatar of neil richardson

I am the co-founder and partner of Cyber Alchemy LTD and an associate lecturer in the computing department at both Sheffield Hallam University and The University of Warwick.

Similar Posts