Cybersecurity budgets: Why big money doesn’t necessarily mean big security

Another day, another headline about a high-profile hack or data breach. The media and public take notice when consumer data have been compromised. And with the threat of litigation and massive losses, companies are paying more attention than ever to cybersecurity growing and are beefing up how much they spend in cybersecurity every year. According to a survey of executives and IT/security directors from 250 small and mid-size enterprises (‘SMEs’), conducted by IT research and advisory company 451 Research, more than 80 percent of the SMEs reported they were planning to increase their cybersecurity budgets by 14 percent in 2019.

Sure, it’s better to allocate more money to protect your customer’s data and the integrity of your systems. But a budget amount isn’t meaningful in and of itself.

In a recent study, Forrester found that cybersecurity budgets generally break down into the three following categories:

• Up to 10 percent of the IT budget: included 31 percent of companies in both the financial services & insurance industry and the public sector & healthcare industry.
• 11 to 20 percent of the IT budget: included 40 percent of companies in the retail & wholesale industry.
• 21 to 30 percent of the IT budget: included 32 percent of companies in the utility & telecommunications industry.

So, does that mean industries like insurance and healthcare are at greater risk of data breaches while utility and telecoms are locked down tight?

Yes. And no. Well, maybe.

A company’s cybersecurity budget only tells part of the story. When it comes down to looking at those budgets, there are also a few things to consider above and beyond the dollar amount when trying to understand if a company is appropriately invested against cyber attacks. Has the organization:

• Developed a clearly defined and detailed cybersecurity budget? Rather than just the amount, a clearly detailed budget will help understand where and how resources are being allocated.
• Modified its budget following a significant cyber incident? If an organization has not adjusted its budget following a significant incident, such as by reprioritizing resources or security solutions, this could suggest a lack of awareness about its current and future vulnerabilities.
• Significantly increased or reduced its cybersecurity budget from the previous year?
• Increased its cybersecurity budget as part of an acquisition or merger? During M&A it is important to ensure that a firm’s cybersecurity budget includes resources to manage the integration of the different companies’ IT systems and security processes.

And beyond budget, is the company doing the right things? For example, does the organization:

• Have a clear risk management process? An organization’s ability to respond to a cyber incident is not just determined by how much money it spends on security but about whether it understands and addresses its risk exposure and potential vulnerabilities.
• Take proactive measures to prevent cyber incidents? Implementing proactive measures, like multi-factor authentication, offline and tested backups, and network segmentation, can reduce an organization’s vulnerability to or reduce the damage caused by a cyber incident. 

A company’s cybersecurity budget tells only part of the story when it comes to whether or not the company is prepared for a cyber attack or other event.

Authored by AXA XL