While more companies are investing in cybersecurity regardless of ROI (63 percent in 2017 compared to 56 percent in 2016), a new study from Kaspersky Lab and B2B International has found that the average cost of a cybersecurity incident is growing. According to the report ‘IT Security: cost-center or strategic investment?’, the most costly cybersecurity breaches for businesses of all sizes result from the failures of third parties, which means that companies should not only invest in their own protection, but also pay attention to that of their business partners.
This year’s study reveals promising developments in the importance being placed on IT security. Businesses globally are starting to view it as a strategic investment and the share of IT budgets that is being spent on IT security is growing, reaching almost a quarter (23 percent) of IT budgets in large corporations. This pattern is consistent across businesses of all sizes, including very small businesses where resources are usually in short supply. However, while security appears to be receiving a larger proportion of the IT budget pie, the pie itself is getting smaller. For example, the average IT security budget for enterprises in absolute terms dropped from USD 25.5 million last year to USD 13.7 million in 2017.
This is a concern for businesses, especially given the fact that, unlike IT security budgets, security breaches aren’t getting cheaper to recover from. This year, SMBs paid an average of USD 87, 80000 per security incident (compared to USD 86,5000 in 2016), while enterprises faced an even larger increase of USD 99,2000 in 2017, compared to USD 61,000 in 2016.
Nonetheless, raising IT security budgets is only part of the solution, as the most staggering losses stem from the incidents involving third parties and their cyber-failures. SMBs had to pay up to USD 140,000 for incidents affecting infrastructure hosted by a third party, while enterprises lost nearly two million dollars (USD 1.8 million) as a result of breaches affecting suppliers that they share data with, and USD 1.6 million because of IaaS-providers’ insufficient levels of protection.
As soon as a business gives another organization access to its data or infrastructure, weaknesses in one may affect them both. This issue is becoming increasingly important as governments worldwide rush to introduce new legislations, requiring organizations to provide information about how they share and protect personal data.
‘’While cybersecurity incidents involving third parties prove to be harmful to businesses of all sizes, their financial impact on a company has the potential to result in twice as much damage. This is because of a wider global challenge – with threats moving fast, but businesses and legislation changing slowly. When regulations like GDPR become enforceable and catch up with businesses before they manage to update their policies, the fines for non-compliance will further add to the bill”, says Alessio Aceti, head of enterprise business division at Kaspersky Lab.