How Much Should a Business Spend on Cybersecurity (Updated for 2023)

According to PWC, at least 30% of organisations have suffered a data breach that cost them more than £800,000 in the past three years. For an average company, any figure less than this is the right amount to spend on cyber security, at least theoretically.

Real life is more complex. Because no company is average, right-sizing cybersecurity spending is a nuanced challenge. 

  • As a general rule for reducing cyber risk, a business should spend between a high single-digit figure and a low double-digit proportion of their IT budget on cyber security, i.e., 7% to 20%.

  • This figure will vary depending on an organisation’s risk exposure, the potential cost of a data breach, and its overall budget.

Not all spending will deliver an equal return on investment. It’s easy to waste money on tools, training and processes that produce minimal security gains. To stop threats, astute spending is critical.

Contact SenseOn to learn more about how SenseOn’s security automation platform can reduce your  security spending.. 

To right-size security spending and get a good return on investment, decision-makers need to understand some core inputs into the cyber spending equation. 

The Information Security Spending Challenge

By 2025, global cybersecurity spending is forecast to exceed £1.30 trillion, according to Cybersecurity Ventures. At least £67 billion of which will be spent by SMEs.

Yet even though organisations are spending more money on cybersecurity than ever, it never seems enough. These days, breaches are often seen as a side effect of digital transformation. 

Many organisations and parts of the broader cybersecurity market consider cybersecurity as a way of slowing down cybersecurity threats rather than stopping them. 

A report by Trend Micro and the Ponemon Institute that looked at businesses of all sizes and industries across the US, Europe, and Asia-Pacific, proves this point. In the survey, almost 9 in 10 organisations anticipate falling victim to a data breach in the next 12 months. 

Worryingly, about 1 in 4 also admitted to having suffered at least seven cyber-attacks where threat actors successfully infiltrated their networks and systems within the last year alone. 

For any business, this situation poses a serious operational question. Namely: if the overall security environment is not improving despite record spending, just how much cybersecurity investment is enough?

How Much Should A Growing Business Spend on Security?

There isn’t an exact numerical amount or percentage of revenue or IT budget that a growing organisation should dedicate to security. 

Rather, the right level of security spend depends on several factors, including where in the world the organisation is based, the sector it is in, the type of data it handles and stores, the regulatory requirements it may need to abide by, and the complexity of its IT infrastructure. 

This blog gives organisations a detailed look at the factors that influence security budgets and their growth rate and helps explain why high-spending businesses are still falling victim to attacks. It also proposes a straightforward solution to this problem.

Location

From a cybersecurity point of view, geography matters. North America and Europe are among the most targeted regions in the world. It makes sense that companies based in either continent have recently increased the share of their IT spending going on cybersecurity. 

Organisations in the US, for example, upped their cybersecurity spending by an average of 10% between 2021 and 2022 alone, now dedicating almost a quarter (24%) of their IT budget to security. 

In the UK, business spending on cybersecurity rose by an average of 5% last year. 

In European countries, including France and Germany, businesses have also raised their cybersecurity budgets by 10% and 15%, allocating around a fifth of their IT budgets to keeping their systems safe. 

Sector

Historically, firms in the financial industry have spent the most money on cybersecurity. 

Today, however, the biggest spenders are tech and business services organisations. According to the 2022 Security Spending Benchmark Report by IANS Research and Artico Search, organisations in these sectors spend just over 13% of their total IT budgets on cyber security. 

The overall average for any sector was 9.9%. 

Government organisations and financial services firms spent 9.6% and 9.7%, respectively. Following them were utility providers (8%), transportation (6.6%), and manufacturing (6.1).

Sadly, however, the most attacked sectors with the greatest need for risk management and the least tolerance for disruptions spend the least on security. 

The lowest spend in the security benchmarking study was in education organisations which spent only 5.9% of their IT budget on cybersecurity. Healthcare is another notorious under-spender on security.

Data from the US shows that only 1 in 5 hospitals spend more than 7%. Most spend between 1% and 5%. Spending remains low despite 8 in 10 hospitals experiencing a data breach. 

With digital transformation and the pandemic having transformed much of how healthcare happens, hospitals need to spend, on average, around 24% more on security in the next few years. 

Type of data handled and stored

Organisations that hold sensitive data should spend more money on data security. Unfortunately, as demonstrated by the above figures, that is only sometimes the case. 

Although financial firms, which tend to hold vulnerable client data, are increasing their security spending, healthcare and educational organisations, also stewards of highly personal data, are not. 

Regulatory requirements

Research by McKinsey finds that regulatory compliance is a crucial factor influencing current and future cybersecurity spending.

For example, in Europe, more than 1 in 2 businesses agree that the General Data Protection Regulation (GDPR) compliance has resulted in them spending more on cybersecurity.

In a survey from a few years ago, firms estimated they would spend an average of £1 million on GDPR readiness initiatives. Furthermore, 88% of impacted organisations said they spend more than £750,000 to maintain GDPR compliance, with 40% saying they spend more than £7.5 million.

This level of concern with the GDPR is unsurprising, given that the GDPR can levy fines of up to 4% of a company’s global turnover. Sector-specific regulations such as the Digital Operational Resilience Act (which applies to European financial organisations) will also influence future cyber compliance spending. 

Unfortunately, these kinds of organisations are increasingly falling victim to devastating attacks.

Learn more: How SenseOn supports compliance

Size

According to the Hiscox Cyber Readiness Report 2022, businesses with 250 and 999 staff dedicate almost £1.5 million to cybersecurity. In contrast, organisations with 1,000+ employees spend an average of £18 million (a 65% increase on the previous year). 

The bigger the organisation, the more it invests in cybersecurity overall. However, smaller businesses tend to spend proportionally more.

Other data shows that the typical enterprise spends 9.9% of its IT budget on cybersecurity, while an SMB may spend 20%. 

Learn more: How to set up a security operations centre in 5 steps

IT complexity 

As businesses become larger, their technology architectures and ecosystems also tend to grow in complexity. 

The more partners an organisation depends on and the more devices connect to its network, the easier it is to hack. In 2021, almost 45% of organisations in one survey were victims of a supply chain attack. 

To secure complex networks, organisations often end up spending more on cybersecurity. For example, endpoint security tools typically make up almost a quarter of all IT security spending. 

Learn more: How to reduce IT complexity with consolidation 

It’s Now How Much You Spend; It’s What You Spend It On

So how much should you spend on cybersecurity as your organisation grows in 2023? The surprising answer is “less than you think.” 

Unless you know exactly what drives return on investment (ROI) in terms of stopping malware and ransomware, meeting compliance requirements and improving network security, any plans for increased spending on security services or solutions should be assessed carefully. 

In Cybersecurity at Crossroads: The Insight 2021 Report, 3 in 4 respondents said they lacked confidence in their organisation’s IT security posture. Not much has changed since then.

Whether it’s a sprawling external attack surface and cloud security issues, a hostile threat landscape or a corporate culture that places convenience above security, security leaders have no shortage of challenges. 

Getting ROI from security spending remains one of them.

Going back to the Trend Micro and Ponemon Institute survey mentioned earlier, most CISOs and IT practitioners say their organisation’s IT security function cannot detect and prevent the vast majority of attacks. Many also mentioned their organisation’s security technologies’ inability to protect their IT infrastructure and data assets. 

Learn more: Threat detection in 2023 is broken. Here’s how to fix it

Part of the reason is that while spending on security is rising, organisations are not investing in the right areas or tools. 

For example, it is common for businesses to spend at least some of their budgets on overlapping security solutions or defending against threats that either no longer exist or that pose minimal business risk. 

Businesses buying too many security tools are decreasing their ability to defeat cybercrime. 

A Ponemon Institute and IBM report concluded that increased complexity—and the “alert fatigue” that tends to follow—caused by overinvestment in security tools could hinder an organisation’s ability to respond to cyber threats effectively. 

Decrease Risk and Reduce Cybersecurity Spending with AI and Automation

IT staff are already overwhelmed by the number of alerts (many false positives) they receive daily. Increasing your cybersecurity budget to buy the latest tools and technologies will overwhelm them further. 

Unfortunately, with the cybersecurity skills crisis worsening, hiring more staff is not the answer to this problem either.

Instead, expanding organisations looking to bolster their cybersecurity should consider investing at least some of their cybersecurity budgets into artificial intelligence and automation

More than 1 in 2 IT professionals say that their biggest challenge regarding security operations and management is their organisation’s need for more automation. Too many repetitive, manual tasks prevent analysts from quickly responding to their systems’ management notifications and security events.

In an IBM study, more than half of organisations surveyed noted that what helped improve their level of cyber resilience was visibility into applications and data and investment in automation tools.

SenseOn can help you and your team overcome this exact problem.

Reduce Your Cyber Spend with SenseOn 

A self-driving cyber defence platform, SenseOn’s unique “AI Triangulation” technology replicates how a human security analyst thinks and behaves to pinpoint and flag only relevant threat alerts. 

SenseOn consolidates a suite of tools (including EDR, NDR, UEBA, IDS/IPS, SIEM, and SOAR) into a single cybersecurity platform, freeing up your security budget for other priorities. 

Contact us to learn more.

Previous
Previous

10 Questions to Ask Your Cybersecurity Vendor

Next
Next

What Is Ransomware as a Service (& Protecting Against It In 2023)