Scary Stats Driving CIOs To Spend More on Cybersecurity

Numbers don’t lie. So, based on the numbers of reported cyber attacks, CIOs are spending more of their IT budgets on cybersecurity. The likelihood that a company will be attacked combined with what it costs to recover from the attack — both in dollars and reputation — is too high to ignore.

Take a look at the data summarized from three highly respected surveys and forecasts from Gartner:

IT Security: Cost Center or Strategic Investment?

By Kaspersky For Business, 2017

About the survey
Each year the Kaspersky Lab Corporate IT Security Risks Survey collects data globally from IT business decision-makers. For 2017, the survey conducted 5,274 interviews with businesses of all sizes in over 30 countries. Data below is for companies in North America in one year.

• Use our Cybersecurity Partner Interview Guide to find the right security partner for your company.
• Is your IT budget ready for 2020? Our IT Budgeting Guide for 2020 can help – download here.

Key data points

  • $117K: average SMB impact of a data breach
  • $1.3M: average enterprise impact of a data breach
  • 77%: percent of businesses that experienced one or more attacks
  • 49% and 11%: percent of businesses that experienced a virus or malware attack and the increase in those attacks since the previous year, respectively
  • 27% and 6%: percent of businesses that experienced a targeted attack and the increase in those attacks since the previous year, respectively
  • $21K and $21K: average SMB cost in lost business and hiring external professionals, respectively, after a breach
  • $207K: average amount enterprises spend on additional staff wages after a breach
  • 60%: percentage of businesses that will invest in cybersecurity regardless of ROI

Key analyses and conclusions
WannaCry and exPetr attacks (both ransomware) opened many eyes to cyber threats and the rapidly changing cyber landscape. Businesses are checking their security posture and adjusting their protection strategies, looking at the actual cost to proactively fighting cybercrime vs. the cost of becoming a victim.

  • Cyber threats are becoming harder and more expensive to fight for companies of all sizes in North America
  • Data breaches can have a damaging impact on organizations of all sizes
  • Legislative changes add to the cost of security incidents because businesses have to adjust to compliance requirements
  • Understanding the math behind the cost of a cyber attack is crucial
  • Slightly more companies this year than last year said they will invest in cybersecurity regardless of ROI
  • Organizations that calculate IT security as an investment and are prepared to spend accordingly are likely to be the most prepared for an attack

Cybersecurity Partner Interview Guide

What DDoS Attacks Really Cost Businesses

By Incapsula, 2014

About the survey
Incapsula’s survey data includes responses from 270 North American organizations across industries and ranging in size from 250 employees to 10,000 or more with a fairly even distribution between the two extremes.

Key data points

  • 45%: percent of respondents citing their organization had been hit by a DDoS attack
  • 91%: percent of respondents who were attacked in the past 12 months
  • 70%: percent who were attacked two or more times
  • 10%: percent who are attacked weekly
  • $40K: average cost of a DDoS attack per hour
  • $500K: average total cost of a DDoS attack
  • 87%: percent of DDoS attack victims that experienced at least one non-financial consequence, such as loss of customer trust, loss of intellectual property, and virus or malware infection
  • 36%: percent of respondents who are not confident about their current DDoS protections technology

Key analyses and conclusions
Intrusions are becoming more prevalent, more sophisticated, and more costly, while many organizations aren’t taking appropriate measures to protect themselves.

  • Companies having 500 or more employees are the most likely to experience a DDoS assault, incur higher attack costs, and require more employees to combat the threat
  • Recovering from a DDoS attack damage can take months or years
  • Many organizations continue to haphazardly respond to attacks, relying on outdated firewall solutions
  • Organizations can have a higher level of defense against DDoS attacks by using the latest mitigation technologies
  • The costs of a DDoS attack affect not only the IT group but also security and risk management, customer service, and sales

The Impact of Data Breaches On Reputation & Share Value

By Ponemon Institute and Centrify, 2017

About the survey
This Ponemon Institute study covers the perspective of three groups of people — 448 IT practitioners, 334 senior-level marketers, and 449 consumers — on a company’s reputation and share value following a reported data breach. For the stock information, the study looked at 113 publicly-traded companies that had experienced a data breach of 50,000 or more records, tracking the index value for 30 days prior to the announcement of the breach to 90 days after.

Key data points

  • 5%: percent average that a stock price declined following the disclosure of a company data breach
  • $2.67M: average revenue loss per company following the breach
  • 7 days: average length of time for stock prices to recover for companies with a strong security posture
  • 90+ days: length of time for stock prices to recover for companies with a poor security posture
  • 20% and 5%: percent of CMOs and IT practitioners, respectively, who say they would be concerned about a decline in their company’s stock price
  • 71% and 49%: percent of CMOs and IT practitioners, respectively, who see the loss of brand value as the biggest cost of a security incident
  • 42% and 45%: percent of CMOs and IT practitioners, respectively, who don’t believe their senior management understands the importance of preserving the company’s reputation
  • 31%: percent of customers who discontinued their relationship with the organization after the breach

Key analyses and conclusions
The consequences of a data breach can ripple throughout the company and have devastating and long-term financial consequences. These include reputation and customer loss, a decline in revenues, loss of competitive advantage, and employees’ inability to be fully productive.

  • Companies with a strong security posture were less likely to see a decline in stock prices because they were better able to quickly respond to the data breach
  • Organizations with a poor security posture were more likely to lose customers
  • A strong security posture supports customer loyalty and trust
  • CMOs and IT practitioners see the cost-to-brand value as high and neither group is overly concerned about stock prices
  • Consumers react strongly to data breaches
  • Consumer trust in certain industries over others is misplaced
  • Consumers expect companies to act more responsibly than IT practitioners and CMOs think their companies need to

Should your company spend more on cybersecurity?

According to the study “IT Spending and Staffing Benchmarks 2018/2019” by Computer Economics, Inc., 75% or organizations will prioritize security and privacy in 2019. Midsize companies especially are increasing their IT spending overall, primarily to transform business, replace legacy systems and implement new technologies.

Gartner forecasts that IT spending worldwide will increase 3.2 percent in 2019. And while it reports that in 2018 CIOs were focused on scaling digital business, in 2019 they’re shifting their focus to building a secure base for digital business now that digital has become mainstream. Gartner’s recent 2018 survey of 3,000 CIOs found that 89% have deployed or plan to deploy cybersecurity software in the next 12 months. In addition, due to social engineering activities such as phishing, CIOs are using a combination of measures to harden their assets and it’s more likely that boards of directors rather than CIOs alone are accountable for cybersecurity. Now, at digitally top-performing organizations, 24% of boards are accountable for cybersecurity.

Cybersecurity Partner Interview Guide

Teamwork that goes beyond CIOs and boardrooms

When an attack does happen — and it probably will, despite your best efforts — a good cybersecurity program will help you minimize the exposure and damage. Having an actual program is crucial. Secure IT operations is not a set-it-and-forget-it system. Your team needs to constantly evaluate new vulnerabilities and threat intelligence so you can update and adjust your operational processes and stay protected. Every day can bring a new type of threat, malware strain, or social engineering ploy.

At the same time, don’t fall into the trap of thinking your organization needs to be 100% secure. That’s an impossibility because even the best security tools and most robust systems aren’t completely foolproof. It’s best to focus your cybersecurity efforts and budget on securing what’s most important to your organization and then buying insurance to cover the rest.

Often organizations can benefit from working with experienced, outsourced IT security pros for advice and hands-on help. From conducting security assessments or penetration tests to building more secure systems or operating as strategic partners, working with specialists helps companies become more secure. One thing is certain — the data show threats are growing, not dissipating. Organizations need to be prepared.

If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.