June 9, 2020 in
How to Determine Your Cybersecurity Budget
Statistics regarding cyber threats and cyber attacks dizzy us year after year. Cyber crime is up, hackers grow more creative and daring, and the numbers are mind-numbing. Millions affected, billions in losses, trillions in spending.
Cyber attacks are all too common, making cybersecurity no longer a luxury, but a necessity. It’s critical, therefore, to have a dedicated cybersecurity budget. And since the information surrounding cybercrime and IT protection can easily overwhelm, we’re here to walk you through the cybersecurity budgeting basics.
Why is it important to have a cybersecurity budget?
Cybersecurity is an essential business function
Cybersecurity isn’t just for tech firms and government agencies. If you’re online, you’re at risk—especially if you’re a small to mid-sized company. Two out of every three cyber attacks hit SMBs, at a rate of about 4,000 each day, according to IBM.
Even more troubling: the National Cyber Security Alliance found that 60 percent of small companies go out of business within six months of a cyber attack, due to massive recuperation costs they’re forced to pay in the aftermath of the breach. That means for every five small businesses that get hit with a cyber attack in January, three of them are out of business by the summer.
With so much of the workforce accessing the internet on a daily basis, it’s getting harder and harder for companies to avoid a serious data breach. And it’s not just your company that’s at risk. Cyber attacks can have costly consequences for your employees, your customers, and any vendors or third parties you do business with. You’re looking at loss of data, productivity, reputation, clientele, and operational revenue.
If you get hit, how much will it run you? Here’s the average by type of attack:
- Phishing: $54,000
- Ransomware: $646,000
- Malware: $2,614,000
You need to be prepared
Because you’re at risk, it’s important to protect your organization from the costs and disruption that come with a cyber attack.
Having a cybersecurity budget does more than just earmark resources to be deployed in the event of an attack. When you undertake this process, you’re addressing:
- Global and local cybersecurity regulations and standards (like HIPAA and GDPR)
- Requirements by vendors and third-party entities (such as mandatory cybersecurity risk assessments before entering into a contract)
- Pressure from stakeholders to prioritize security
How do you determine your cybersecurity budget?
Cybersecurity spending is driven by cyber crime. Editor-in-chief of Cybercrime Magazine, Steve Morgan, writes: “The unprecedented cybercriminal activity we are witnessing is generating so much cyber spending, it’s become nearly impossible for analysts to accurately track.”
Understandable. What’s more, “cybersecurity” is quite a broad field. The first step in determining your cybersecurity budget, therefore, is to narrow your focus. Define your specific goals as you build your budget.
Determine the areas in which to invest
Your next step will be to identify and prioritize key areas of your cybersecurity investments. These might include:
- Website vulnerability assessments and management
- Regular patching of key systems
- Role-based access control and strong password management
- Regular system and network testing/protection
- Employee training/education
- Cybersecurity risk assessments
- Incident response and business continuity plans
- Cybersecurity regulation compliance
Keep in mind that some spending is mandatory, while others have more flexibility. Failure to comply with certain cybersecurity regulations could lead to steep fines.
Situate your company within the larger picture
“As a rule of thumb, an organization should spend between 7% and 10% of its IT budget on security,” explains Program Vice President of Cybersecurity Products Frank Dickson. “However,” —and this is important— “you can spend 15% of your IT budget on security and still not achieve the level of assuredness that you desire if your architecture is sufficiently complex or the assets being protected are especially valuable. Likewise, a spend of 5% may be appropriate.”
Translation: If you are in a high-risk industry (such as financial services or healthcare), you’re going to need to dedicate more cybersecurity budget for sufficient protections. Likewise, if your infrastructure is complicated, consider simplifying or again earmark more budget to protect vulnerabilities.
There is no “one size fits all” when it comes to cybersecurity spending.
Compare your spending to those of your industry peers. This will give you a better idea of how much to budget, and it will also help in contract negotiations with third party entities down the road. If you know that you’re putting more resources into cybersecurity than your competitors, this can be an advantage.
There are a number of other factors that will influence your spending. They include:
- Size of your company
- Sensitivity of your data
- Complexity of your IT infrastructure
- Age of your systems and technology
This is also the point at which you should map out the various administrative and technical policies you’ll need to implement. How much time and energy will they require? How expensive are the security products you’ll need?
Identify points of diminishing returns
Cybersecurity protection isn’t simply a function of money spent. As you budget, keep this in mind. At some point, the marginal effectiveness of additional measures will diminish. Work with your team to identify these markers, and educate yourselves along the way.
Education is paramount to any cybersecurity program and should be at the core of your security measures. Invest in strengthening your understanding and give your employees proper information and tools with which to defend themselves.
Wait…so how much should I spend?
Estimates vary on the actual amounts that companies currently spend on cybersecurity. The number typically ranges from 5.6% to 20% of a company’s overall IT budget. A 2019 Gartner report found that cybersecurity spending (measured on a ‘per employee’ basis) has more than doubled since 2012. Companies spend, on average, $1,200 per employee each year on cybersecurity measures.
Your cybersecurity program’s effectiveness isn’t inherently a direct correlation to your spending. A successful cybersecurity budget is one that’s created with prioritization, communication, and realistic expectations in mind.