How much should a growing business spend on cybersecurity?
More money is being spent on cybersecurity than at any point in history. By the end of 2021, global expenditure on security solutions and services will reach £112 billion — a 12% increase from last year. If this trend continues, by 2025, this figure will exceed £1.30 trillion, at least £67 billion of which will be spent by SMEs.
Although organisations are allocating more money to cybersecurity than ever, it still does not appear to be enough. These days, breaches are effectively the norm for most businesses, and many organisations consider cybersecurity more a way of slowing down attacks than stopping them. A recent report by Trend Micro and the Ponemon Institute that looked at businesses across the US, Europe, and Asia-Pacific, found almost 9 in 10 organisations saying they anticipate falling victim to a data breach in the next 12 months. Worryingly, about 1 in 4 also admitted to having suffered at least seven cyber attacks where threat actors successfully infiltrated their networks and systems within the last year alone.
So how much cybersecurity expenditure is enough? There isn’t a ‘magic number’ here – the right level of security spend depends on a number of factors, including where in the world the organisation is based, the sector it is in, the regulatory requirements it may need to abide by, and the complexity of its IT infrastructure.
From a cybersecurity point of view, geography matters. North America and Europe are among the most targeted regions in the world. Therefore, it makes sense that companies based in either continent have recently increased the share of their IT spend going on cybersecurity.
Organisations in the US dedicate almost a quarter (23%) of their IT budget to security. In Europe, businesses allocate around a fifth of their IT budgets to keeping their systems safe.
The most attacked sectors tend to spend the least on security. On the other end of the expenditure spectrum is the healthcare sector. In 2019 hospitals dedicated only 5% of their IT budgets to security, even though more than 8 in 10 of them experienced a breach. Despite the pandemic — and the increased number of attacks on hospitals — things did not change much in 2020.
In Europe, more than 1 in 2 businesses agree that GDPR compliance has resulted in them spending more on cybersecurity, and firms estimated they would spend an average of £1 million on GDPR readiness initiatives.
The bigger the organisation, the more it typically invests in cybersecurity. According to the Hiscox Cyber Readiness Report 2021, the mean spend by companies with up to 249 employees is £210,000. Businesses with between 250 and 999 staff spend c.£1.5 million, whereas organisations with 1,000+ employees spend an average of £10 million. All these figures represent a large increase over the last year.
As businesses become larger, their technology architectures and ecosystems tend to grow in complexity, too. The more partners an organisation depends on and the more devices that connect to its network, the easier it is to hack. Over two-thirds of companies saw an increase in endpoint and IoT security incidents in 2020. Similarly, there has been a 4x increase in supply chain attacks between 2020 and 2021.
It’s Not How Much You Spend; It’s What You Spend It On
So how much should you spend on cybersecurity as your organisation grows in 2022? The answer is: probably less than you think. Unless you know what your existing security ROI is, plans for increased spending should be assessed carefully.
Prioritise Your Security Architecture Over Spending Benchmarks
With IT staff already overwhelmed by the amount of alerts (many of them false positives) they receive daily, increasing your cybersecurity budget so that you can buy the latest tools isn’t going to do much for your organisation’s security. A smarter move is to employ more professionals. Unfortunately, with the cybersecurity skills crisis getting worse, this isn’t exactly easy, nor does it always make financial sense for fast-growing companies. Expanding organisations looking to bolster their cybersecurity should consider investing some of their cybersecurity budgets into automation.
More than 1 in 2 IT professionals said that their biggest challenge when it comes to security operations and management is their organisation’s lack of automation, which prevents them from responding to their systems’ management notifications and security events quickly.
SenseOn can help you and your team overcome this exact problem. A self-driving cyber defence platform, SenseOn replicates how human cyber security analysts work to pinpoint and flag only relevant threat alerts. Better yet, it consolidates a suite of tools (including EDR, NDR, UEBA, IDS/IPS, SIEM, and SOAR) into a single cybersecurity platform, freeing up your security budget for other priorities.