While more companies are investing in cyber security regardless of ROI (63% in 2017 compared to 56% in 2016), a new study from Kaspersky Lab and B2B International has found that the average cost of a cyber security incident is growing. The most costly cybersecurity breaches for businesses of all sizes result from the failures of third parties, reveals the report.
Globally, IT security has reached almost a quarter (23%) of IT budgets in large corporations. This pattern is consistent across businesses of all sizes, including very small businesses where resources are usually in short supply. However, while security appears to be receiving a larger proportion of the IT budget pie, the pie itself is getting smaller. For example, the average IT security budget for enterprises in absolute terms dropped from $25.5M last year to $13.7M in 2017.
This is a concern for businesses, especially given the fact that - unlike IT security budgets - security breaches aren’t getting cheaper to recover from. This year, SMBs paid an average of $87.8K per security incident (compared to $86.5k in 2016), while enterprises faced an even larger increase of $992K in 2017, compared to $861K in 2016.
Kaspersky Lab has introduced the IT Security Calculator- a tool that acts as a guide to the cost of IT security based on the average budgets being spent (by region, industry and company size), security measures, the major threat vectors, money losses and tips on how to avoid a compromise.
Nonetheless, raising IT security budgets is only part of the solution, as the most staggering losses stem from the incidents involving third parties and their cyber-failures. SMBs had to pay up to $140K for incidents affecting infrastructure hosted by a third party, while enterprises lost nearly two million dollars ($1.8M) as a result of breaches affecting suppliers that they share data with, and $1.6M because of IaaS-providers’ insufficient levels of protection.
As soon as a business gives another organization access to its data or infrastructure, weaknesses in one may affect them both. This issue is becoming increasingly important as governments worldwide rush to introduce new legislations, requiring organizations to provide information about how they share and protect personal data.