How much should organisations spend on cyber security?

Cyber attacks and data breaches are becoming so common that all organisations are likely to be hit at some point. Some organisations might use this as an excuse not to invest in cyber security, but it’s possible to reduce the risk and subsequent damage of an attack – and that option is a lot more affordable than waiting until it’s too late.

For example, Maersk announced (warning: paywall) that it lost up to $300 million (about £225 million) after it was hit by NotPetya, and it still had to deal with the consequences of the attack and upgrade its security measures. Granted, few breaches are as damaging, but the average company is still devastated by cyber attacks. Ponemon Institute’s 2017 Cost of Data Breach Study found that UK organisations lose £2.48 million on average after a data breach.

With organisations already investing heavily in cyber security – Gartner predicting that global cyber security spending will rise to $90 billion (about £68 billion) in 2017 – the answer isn’t simply to invest even more money. So, what should organisations do?

The cost of a breach

On average, organisations spend 5.6% of their overall IT budget on security and risk management, according to another report from Gartner. This is certainly adequate, but problem is that the £68 billion that organisations are spending on cyber security is far outweighed by the cost of data breaches.

Combining our research that found that there were 3.1 billion breached records in 2016 and Ponemon’s figures from the same year, which found that each stolen record cost an average of $158 (about £120), you can estimate that in total data breaches cost organisations approximately £370 billion.

So, instead of spending extravagant amounts of money on preventing breaches, organisations should try to mitigate the damage breaches cause. The biggest cost associated with data breaches is resolving the matter, as organisations must pay compliance fines and court fees, invest in forensic and investigation processes and spend money on identity theft prevention services for customers or employees.

These costs will escalate if the organisation isn’t prepared for the possibility of a breach. A business continuity management system (BCMS) helps organisations, speeding up the recovery process and reducing the damage to the organisation and those affected by the breach.

A BCMS should work alongside an information security management system (ISMS) to tackle both prevention and response.

An ISMS is a system of processes, documents, technology and people that helps organisations prevent data breaches. ISO 27001 describes best practice for an ISMS, detailing everything you need to do to protect your organisation – from conducting risk assessments to investing in staff awareness training.

When prepared for together, cyber security and business continuity form a two-pronged approach known as cyber resilience.

Achieve cyber resilience

The benefit of cyber resilience is that it allows organisations to avoid an ‘all or nothing’ outlook to information security. You can’t put all your faith in your ability to prevent cyber attacks, nor can you blindly accept that you’re going to be breached at some point.

By seeing the full picture, you’re able to take a realistic approach to security that helps you:

  • Reduce financial losses;
  • Meet legal and regulatory requirements;
  • Improve your company’s culture and internal processes; and
  • Protect your company’s brand and reputation.

IT Governance offers many ways to help you develop cyber resilience, including a Cyber Health Check, penetration testing services, support in complying with Cyber Essentials and assistance in developing and maintaining an ISMS and BCMS.

Find out more about cyber resilience >>