How Much Should You Invest in Cybersecurity?
Companies are spending more than ever on cybersecurity.
A Gartner report found that global spending on information security products and services totalled $81.6 billion in 2016 – an increase of 7.9 percent from 2015. With the frequency and intensity of cyber attacks increasing globally, this is a trend that’s likely to continue.
Investing in cybersecurity really isn’t an option anymore. It’s a necessity. Taking a proactive approach to cybersecurity is your best bet for thwarting attacks and protecting your data assets.
There’s just one question. Exactly how much should you invest?
More specifically, how do you strike the right balance between adequately shielding your company without overspending on superfluous features?
Let’s look at some key data to find out.
The Average Cost of a Cyber Attack
Let’s begin by examining how much money you can expect to lose if you’re hit with a cyber attack.
Research found that in 2017 it cost larger enterprises in North America an average of $1.3 million (USD) and $117,000 for SMBs.
In terms of the amount spent per stolen record for data breaches, it ranges somewhere between $145 and $158 for most businesses. However, it can be as much as $355 for health card information.
That’s no small sum, and the sheer cost is a key contributor to why 60 percent of smaller companies go out of business within six months of an attack. Many are simply unable to recover.
Some of the main factors that contribute to these costs include:
- Compliance penalties
- Court fees
- Investigative and forensics services
- Loss of physical devices that contain data
- Spending on employee cybersecurity training
- Spending to acquire new customers after losing existing ones
- Diminished brand equity (many customers turn to competitors once they know that their personal information has been compromised)
As you can see, these expenses can really add up in a hurry and often jeopardise a company’s longevity.
The Likelihood of an Attack Occurring
No one is immune from cyber crime. Whether it’s a micro business with less than five employees or a global brand leader with several thousand, the threat remains.
But studies have found that SMBs are especially vulnerable because they tend to lack the cybersecurity infrastructure of their larger counterparts. Many cyber criminals view them as easier targets and are likely to seek them out when executing an attack.
In fact, 43 percent of all attacks involve smaller businesses. What’s even more startling is that more than half (55 percent) experienced an attack between May 2015 and May 2016, and 50 percent experienced a data breach during the same period.
So theoretically, there’s a 55 percent chance that an SMB will encounter a cyber attack and a 50 percent chance they’ll face a data breach on any given year.
It’s basically a coin flip.
Other Factors to Consider
You should also consider that some organisations are at greater risk than others. For instance, a restaurant owner probably wouldn’t need to invest as much in security as a doctor’s office that manages hundreds of even thousands of patient files.
There’s also the matter of technology immersion. If a company incorporates technology into nearly every facet of operations, they’re threat level would be quite high. For example, they may be heavy adopters of IoT and implement bring your own device (BYOD) policies.
However, the threat level would likely be much lower for a business that’s less tech-driven. If they just use basic technology and IoT is virtually non-existent within their organisation, cybersecurity won’t be nearly as much of a concern. For companies like these, a barebones approach may be sufficient.
These are just a couple of other factors to keep in mind when determining how much to invest into cybersecurity.
How Much Are Other Companies Spending?
Many companies are reluctant to share exactly how much they’re spending on cybersecurity. Therefore, there isn’t a whole lot of information available for benchmarking.
However, there is one report from the International Data Corporation (IDC) Canada that does provide some concrete numbers. Their 2015 study broke organisations down into four different categories:
- “Defeatists” – IT security is weak and underfunded (23 percent of organisations)
- “Denialists” – IT security is weak but they don’t understand or acknowledge this fact (37 percent)
- “Realists” – IT security is satisfactory but they are looking to improve it (23 percent)
- “Egoists” – IT security is good but they risk overconfidence (17 percent)
From there, they explain that:
- Defeatists spend 6 percent of their IT budget on security
- Denialists spend 8 percent
- Realists spend 14 percent
- Egoists spend 12 percent
As you can see, there’s definitely a disparity and the companies with weaker cybersecurity tend to devote less of their IT budget to it and vice versa.
But is there an exact number? It turns out there is.
According to IDC Canada, on average companies spend 9.8 percent of their IT budget on cybersecurity. However, they say that this is insufficient and that 13.7 percent is the ideal amount to spend on cybersecurity.
Of course this number is open to debate. Some companies may think that as little as 3 percent is sufficient, while others in high risk industries may want to go as high as 25 percent. It depends on a few different factors such as the size of your organisation, your industry, risk level, etc.
But when you look at the big picture and at companies across the board, 13.7 percent seems fairly reasonable and provides a nice reference point.
Which Aspects of Security are Companies Focusing On?
It’s also nice to know which specific areas of cybersecurity this money is going to. This can provide some perspective that can aid in your decision making.
Research from the SANS Institute identified the 10 top technologies, and they are as follows:
- Access and authentication
- Advanced malware prevention
- Endpoint security
- Wireless security
- Data protection
- Continuous monitoring
- Log management
- Network traffic visibility
- BYOD security
We’re also seeing a trend where the cost of firewalls is expected to increase until the end of 2018. Gartner points out that this market is experiencing a higher level of demand for high-end equipment, which has largely been spurred by an increasing number of devices and increased cloud adoption.
In addition, they highlight the fact that the use of data loss prevention (DLP) software is on the rise. If you’re unfamiliar, this is used to help companies monitor their data and prevent it from being intercepted by unintended third parties. It’s predicted that 90 percent of organisations will use at least one form of integrated DLP, which is up significantly from only 50 percent in 2016.
While it’s up to your organisation to choose which specific technologies you want to implement, these findings provide a snapshot on what’s popular at the moment.
Deciding What’s Right for Your Company
Now let’s put all of this information together.
There is roughly a 55 percent chance that your organisation will face a cyber attack and a 50 percent chance that it will experience a data breach during any given year. The average loss stemming from an attack for SMBs is $117,000 (USD).
These numbers aren’t exactly promising and prove just how important it is to take preventative measures.
So you want to ensure that you’re investing enough to properly protect your company and not skimp on critical areas of cybersecurity. But at the same time you don’t want to go overboard.
Or as chief security officer for the Council of Better Business Bureaus Bill Fannelli puts it, “It doesn’t do any good to adopt a $10,000 solution if the potential risk reduction is only worth $5,000.”
Ideally, you’ll find the right balance so that you’re fully protected but not throwing money out the window on needless security features. While there’s by no means a one-size-fits-all solution that works for all companies in all industries, devoting 13.7 percent of your IT budget to cybersecurity should serve as a good baseline number.
You can start from there and iron out the details until you find a number that seems logical for your organisation.
Effective financial resource allocation is integral to the success of nearly every company. You always want to ensure that you’re devoting the right amount of money to key areas of operations where it’s most needed.
And cybersecurity is no doubt one of those areas. With 918 data breaches compromising 1.9 billion data records in just the first half of 2017, this isn’t something that should be overlooked.
The only issue is that things can become a bit nebulous when you’re deciding exactly how much to invest into cybersecurity. While choosing the precise amount is ultimately a personal decision for your company, understanding the benchmarks and what’s considered ideal should help you with this process.
This way you can get the most from your IT budget and ensure that your needs are met without excessive spending.
How much is your organisation currently spending on cybersecurity? Please let us know: