Alessandra Peters

14/07/2022

How Much Should a Business Spend on Cybersecurity?

More money is being spent on cybersecurity than at any point in history. By the end of 2021, global expenditure on security solutions and services will reach £112 billion — a 12% increase from last year. If this trend continues, by 2025, this figure will exceed £1.30 trillion, according to Cybersecurity Ventures, at least £67 billion of which will be spent by SMEs.

Yet even though organisations are allocating more money to cybersecurity than ever, it still does not appear to be nearly enough. These days, breaches are effectively the norm for most businesses, and many organisations seem to consider cybersecurity more as a way of slowing down attacks rather than stopping them. A recent report by Trend Micro and the Ponemon Institute that looked at businesses of all sizes and industries across the US, Europe, and Asia-Pacific, proves this point. In the survey, almost 9 in 10 organisations said they anticipate falling victim to a data breach in the next 12 months. Worryingly, about 1 in 4 also admitted to having suffered at least seven(!) cyber attacks where threat actors successfully infiltrated their networks and systems within the last year alone. 

For any business growing its revenue, headcount, or IT footprint right now (or planning on doing so in 2022), this situation poses a serious operational question. Namely: if the overall security environment is not getting any better in spite of record spending, how much cybersecurity expenditure is enough?

How Much Should A Business Spend on Security?

Unfortunately, there isn’t an exact numerical amount or percentage of revenue (or IT budget) that a growing organisation should dedicate to security. Rather, the right level of security spend depends on a number of factors, including where in the world the organisation is based, the sector it is in, the type of data it handles and stores, the regulatory requirements it may need to abide by, and the complexity of its IT infrastructure. 

In this blog post, I want to give organisations a quick overview of how these factors influence security budgets and help explain why high-spending businesses are still falling victim to attacks. I also want to propose a straightforward solution to this problem.

Location

From a cybersecurity point of view, geography matters. North America and Europe are among the most targeted regions in the world. As a result, it makes sense that companies based in either continent have recently increased the share of their IT spend going on cybersecurity. 

Organisations in the US, for example, have upped their cybersecurity spend by an average of 9% between 2020 and 2021 alone, now dedicating almost a quarter (23%) of their IT budget to security. In Europe, businesses have also raised their cybersecurity budgets by between 7% and 9%, allocating around a fifth of their IT budgets to keeping their systems safe. 

Sector

Historically, firms in the financial industry have spent the most money on cybersecurity. In 2020, financial organisations spent 10.9% of their IT budgets (or 0.48% of their organisation’s revenue) on cybersecurity, up from 10.1% in 2019. Within the overall category of financial businesses, the insurance industry spent the most (11.9% of their IT spend), followed closely by consumer/financial services (10.5%), retail/corporate banking (9.4%), financial utility services (8.2%), and service providers (7.2%). 

The most attacked sectors tend to spend the least on security. On the other end of the expenditure spectrum is the healthcare sector. In 2019 hospitals dedicated only 5% of their IT budgets to security, even though more than 8 in 10 of them experienced a breach. Despite the pandemic — and the increased number of attacks on hospitals — things did not change much in 2020, either. In one study, almost a quarter of security professionals working at US healthcare organisations said that only between 3% and 6% of their overall IT budget is allocated to security. And about 1 in 5 security professionals within this sector said that their cybersecurity budget is as low as 1% to 2%. According to cybersecurity decision-makers, on average, hospitals need to spend around 24% more on security in the next few years. 

Type of data handled and stored

Organisations that hold sensitive data should spend more money on keeping said data safe. Unfortunately, as demonstrated by the above figures, that isn’t always the case. Although financial firms, which tend to hold vulnerable client data, are increasing their security spend, healthcare organisations, which are also stewards of highly personal data, are not. 

Regulatory requirements

The SANS 2020 IT Cybersecurity Spending Survey, which looked at 450 IT and security leaders, found that regulatory compliance was a key factor influencing cybersecurity spending last year.

For example, in Europe, more than 1 in 2 businesses agree that GDPR compliance has resulted in them spending more on cybersecurity. In a 2017 survey, firms estimated they would spend an average of £1 million on GDPR readiness initiatives. Furthermore, 88% of impacted organisations said that they spend more than £750,000 to maintain GDPR compliance, with 40% saying they spend more than £7.5 million. 

Size

The bigger the organisation, the more it typically invests in cybersecurity. According to the Hiscox Cyber Readiness Report 2021, the mean amount spent by companies with up to 249 employees is £210,000. On the other hand, businesses with between 250 and 999 staff dedicate almost £1.5 million to cybersecurity, whereas organisations with 1,000+ employees spend an average of £10 million. All of these figures represent a large increase over the last year.

IT complexity 

As businesses become larger, their technology architectures and ecosystems tend to grow in complexity, too. The more partners an organisation depends on and the more devices that connect to its network, the easier it is to hack. Over two-thirds of companies saw an increase in endpoint and IoT security incidents in 2020. Similarly, there has been a 4x increase in supply chain attacks between 2020 and 2021. 

To secure complex networks, organisations often end up spending more on cybersecurity. In 2019, for example, endpoint security tools made up for almost a quarter of all IT security spending. 

It’s Not How Much You Spend; It’s What You Spend It On

So how much should you spend on cybersecurity as your organisation grows in 2022? The answer is: probably less than you think. Unless you know what your existing security ROI is, plans for increased spending should be assessed carefully. 

In Cybersecurity at Crossroads: The Insight 2021 Report, 3 in 4 IT leaders say they don’t have much confidence in their organisation’s IT security posture. Specifically, going back to the Trend Micro and Ponemon Institute survey mentioned earlier in this blog post, most CISOs and IT practitioners say that their organisation’s IT security function is unable to detect and prevent the vast majority of attacks. Many of them also mention their organisation’s security technologies’ inability to protect their IT infrastructure and data assets. 

Part of the reason why could be that while spending on security is rising, organisations are not investing in the right areas or tools. For example, it is not uncommon for businesses to spend at least some of their budgets on overlapping solutions or defending against threats that either no longer exist or that pose very little actual risk. It could also be the case that businesses buying too many security tools are decreasing their security. A global 2020 report by the Ponemon Institute and IBM concluded that increased complexity — and the “alert fatigue” that tends to follow — caused by overinvestment in security tools could hinder an organisation’s ability to respond to cyber threats effectively. 

Prioritise Your Security Architecture Over Spending Benchmarks

With IT staff already overwhelmed by the amount of alerts (many of them false positives) they receive daily, increasing your cybersecurity budget so that you can buy the latest tools and technologies isn’t going to do much for your organisation’s security. A smarter thing to do would be to employ more professionals. Unfortunately, with the cybersecurity skills crisis getting worse, doing so isn’t exactly easy, nor does it always make financial sense for fast-growing companies. Instead, expanding organisations looking to bolster their cybersecurity should consider investing at least some of their cybersecurity budgets into automation. 

More than 1 in 2 IT professionals said that their biggest challenge when it comes to security operations and management is their organisation’s lack of automation, which prevents them from responding to their systems’ management notifications and security events quickly. Conversely, in an IBM study from 2020, more than half of the organisations surveyed noted that what helped improve their level of cyber resilience was visibility into applications and data and investment in automation tools.

SenseOn can help you and your team overcome this exact problem. A self-driving cyber defence platform, SenseOn replicates how human cyber security analysts work to pinpoint and flag only relevant threat alerts. Better yet, it consolidates a suite of tools (including EDR, NDR, UEBA, IDS/IPS, SIEM, and SOAR) into a single cybersecurity platform, freeing up your security budget for other priorities.

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.