How much should I spend on cybersecurity to protect my business?
Updated at: Aug 18, 2020
We know that not many companies have a large budget to spend on IT and, more precisely, on cybersecurity. That's just not the reality for most organizations in the world.
Just think that we live in a world of small and medium-sized businesses (SMB), which are typically defined as companies with up to 250 or 500 employees.
In Europe and in countries such as the U.S. and Brazil, for example, businesses with up to 50 employees account for about 90% of all companies.
Regardless of the company's size, the challenge is always to define how much to spend and invest in cybersecurity. But one thing is certain: it's much cheaper to prevent cyber attacks than to repair the damage when they occur.
For example, if your company is a victim of a cyber attack, there are damages related to containing the threat. But there is another even bigger loss: damage related to your brand's reputation and the loss of business, whether by not acquiring new customers or by losing old ones.
The fact is that many companies still don't take this into account. Nowadays, with news about attacks and data breaches being published almost daily, companies need to invest in cybersecurity solutions.
But how should your company define how much money to spend on cybersecurity? And how to use it? We help you with the answers.
What is an average cybersecurity budget?
In general, experts say that you should spend 10% to 15% of your IT budget with protection against data breaches and cybersecurity attacks. By the way, the report Pursuing Cybersecurity Maturity at Financial Institutions validates this information.
According to the study by Deloitte and the Financial Services Information Sharing and Analysis, banks and other financial services companies spend 6% to 14% of the IT budget on cybersecurity.
This is a good parameter considering that the financial sector is one of the areas most targeted in scams and attacks.
But that isn’t a simple and complete answer. There are many factors that influence the creation of a cybersecurity budget, such as the size of your company, for example.
Here are some thoughts on how to plan and build a security budget for your company.
Tips to help create your company's cybersecurity budget
1. Starting your cybersecurity budget
To start creating your cybersecurity budget, you need to take an inventory of your assets and think about laws and industry regulations that affect your business. The following questions will help you to create the foundation for your budget.
- What is your company’s size?
- What is your industry?
- What kind of data do you work with?
- Which devices and assets does your organization use?
- Are there laws and regulations that affect your business? How?
2. Evaluating processes to create a cybersecurity budget
In a second step, you need to understand what your company's processes are. Check out some questions that may help.
- What are the data storage and collection processes?
- Who are the people involved in these processes?
- Are there partners (other companies) involved?
- Where and how is the data shared and stored?
- What software and products does the company use?
- What are their vulnerabilities?
3. Defining and using a cybersecurity budget
After you answer the questions above, you'll have an overview of your company's strengths and weaknesses. That is, you'll know what needs to be better protected. The question now is: but how?
At this stage, you can even hire a vulnerability analysis service to help build your project. Now, here are some more ideas that help you determine your cybersecurity budget.
- What kind of solutions can help you improve your business’s protection?
- What are the options and how much do they cost?
- How long will it take to deploy them?
- Is your team prepared to fight attacks and incidents?
So now, you probably have a clearer idea of your needs and how much it would cost to have a complete suite of cybersecurity solutions. But we know that the reality is quite different, right?
To conclude, then, think about the following questions.
- What is my IT budget?
- What are my security priorities?
- How can I strengthen my company's security using up to 15% of that budget?
Set priorities and get to work. A different way of trying to think about your cybersecurity budget is to also think about the return on investment, the famous ROI. For many companies, this is a more difficult model to quantify, but it’s still a good option as well.
In practice, you need to define what the financial loss would be caused by a data breach or an incident. Then, taking this loss into account, you set a budget.
If you cannot answer any of these questions, you’ll probably need the help of a specialist. If you don’t have someone in mind, a Managed Service Provider (MSP) may help you manage your needs.
Of course, you can ask questions directly to vendors as well. It’s important that you fully understand what each solution can do for your business.
Final considerations for your cybersecurity budget
We couldn't finish this article without mentioning two important points for using a cybersecurity budget.
The first point is email protection. Email is the main threat vector. This means that a large part of data breaches starts with malicious emails. So, think about it.
Here at Gatefy we develop artificial intelligence and machine learning to improve businesses’ email security. Our solutions are easily integrated with different types of email providers, such as Office 365, G Suite, Exchange, and Zimbra. Visit Gatefy Email Security and Gatefy Anti-Fraud Protection.
The second point concerns cybersecurity awareness. In other words, your team must also understand cyber threats and risks to prevent and fight incidents. There are tools and solutions that assist in this process.
As every information security expert says, your employee is the weakest link in your security chain.
To sum it up, as a decision maker, you simply cannot base your decisions and budget on a trial-and-error game or take actions only after a data breach has already occurred. It’s wiser to instead take some preventive measures.
Remember that by investing in cybersecurity you:
- Protect your reputation and brand.
- Reduce intellectual and financial losses.
- Meet legal requirements and regulatory compliances.