By Evgeniya Naumova, Executive VP, Corporate Business at Kaspersky
As companies take stock and plan budgets for the new year, and as the pandemic continues unabated, companies will still need to factor in its ongoing impact on their business and daily operations; remote working, to some extent, will remain in place for many businesses, as does the economic aftermath of the COVID-19 crisis.
To help businesses prioritise when planning budgets for the year, we have drawn on several observations from our recent research into the economics of cybersecurity and identified the following five considerations we believe business and security team leaders should keep top of mind:
#1 Last year, budgets shrank but it won’t be forever.
Cybersecurity budgets for 2021 were planned at the end of 2020 – in the midst of the pandemic. Therefore, many companies seemed to proceed with caution. As a result, the average cybersecurity budget for 2021 remained virtually unchanged for small companies: $267,000, compared to $275,000 in the previous year. But in large corporations, the allocation decreased – from $14 million in 2020 to $11.4 million in 2021.
However, since +/- mid 2021 (northern Spring season), analysts had been publishing optimistic forecasts about the growth of the IT and information security market: Gartner predicted an 8.4% growth in overall global IT spending in 2021. IDC also forecasted strong growth in IT security spending in regions such as Europe and Asia Pacific.
With continued innovation, digitalisation of products and enhanced business processes, organisations will definitely need to prioritise cybersecurity investments. But demands may change significantly because of these and other factors, which we will cover later in the text.
#2 The financial impact of cybersecurity breaches hasn’t increased significantly, but that doesn’t mean we have defeated the cybercriminals.
The financial impact of data breaches for SMBs grew slightly in 2021, but for enterprises it decreased by 15%. Nevertheless, nominal fluctuations in the financial cost implications of a breach in one year should by no means be considered as cybercriminals’ resignation. We need to stress this point. The scale of the impact depends not only on the attack complexity but on the actions of the business too.
A data breach, for example, can lead to direct losses including business loss or fines. Further financial impacts also depend on whether a breach has been disclosed to the public. In this case, a company normally has to spend more on additional support streams – such as crisis and overall communications, and public relations (PR) support, for example – or on paying penalties, fines, and compensation. As such, the average cost of a data breach for an enterprise that doesn’t disclose the incident is $827,000. However, if the breach leaks to the press, the cost rises to $1.2 million. This year, fewer companies globally disclosed cases of a data breach.
Significant cybersecurity investment in response to previous data breaches – such as improvements in software and IT infrastructure or training for employees – will also have borne fruits this year. We see this, for example, in the positive dynamic of threat detection and response speed. Our research suggests that every year, organisations are discovering data breaches more quickly. In 2016, only 15% of SMBs and 14% of large companies had systems in place that alerted them to attacks and allowed immediate or swift response to an incident within a few hours. In 2021, this figure sits at 27%.
#3 Increased cloud adoption demands dedicated protection.
Our year-on-year research has shown that, with the onset of the pandemic, companies have increased their use of cloud services. In 2019, 72% used some kind of cloud – public, private, and virtual desktop infrastructure (VDI). In 2020-2021, this figure increased to 88%*.
This shift has resulted in changing needs for cloud infrastructure protection. Security projects created in previous years were designed for on-premises infrastructure, meaning they may no longer be relevant for organisations migrating to the cloud. Customers need to formulate protection requirements based on their current infrastructure. This demands a new dedicated package of cybersecurity solutions, including specific areas such as protection of containers, or identity in the cloud, and also the tools for complex threat detection and response in environments with multiple clouds.
#4 For complex threat protection, visibility is crucial.
The task of IT and IT security is not only to protect the infrastructure from intrusion, but also to make it effective and not limiting to business processes, no matter how fast the IT infrastructure changes. Remote work and digitalisation of a company’s processes and products have made securing such a complex infrastructure the second biggest headache for companies – after data protection. One of the reasons is that the more complex the system, the more difficult it is to keep track of what is happening. For two out of five companies (41%), this is the biggest problem when dealing with complex attacks.
In fact, for many companies such a complex environment becomes the number one reason for additional investments. A sophisticated attack often consists of a combination of legitimate-like and hard to detect tactics. Another problem is that an enormous number of alerts generated by various security solutions makes it difficult for analysts to prioritise incidents and see the correlations between an adversary’s actions. There is a need for automated detection and response that can simultaneously not only detect multiple minor signs of attack, but also correlate them with each other and external threat data. That will ensure an efficient alert triage and reveal the real advanced attack, for further escalation to incident response teams.
#5 Need for expertise drives outsourcing and changes in budgeting.
While the need for a skilled workforce and expertise is nothing new, in 2021 we saw it become a major motivator for the first time to outsource cybersecurity. With rapid adoption of new technologies and change in work patterns, combined with the exponential growth of IT complexity, every second mid-sized and large enterprise (52% and 56%) that trusts security management to an managed security provider (MSP) does so because they need highly skilled professionals.
When switching to outsourced companies, businesses may need to adjust their budget process accordingly, because this part of the budget will move from CapEx to OpEx: investments into hardware every few years will instead turn into a monthly-paid subscription.
We don’t know for sure what new challenges 2022 still has in store. Despite a natural human desire to play it safe, there is also a great opportunity for change and to make bold decisions. This applies to the budgeting process as well: the approach of ‘making it similar to last year’ won’t work anymore in the progressively advancing threat landscape. Instead, risk evaluation and modeling should be done based on the most recent trends, changes happening in the corporate infrastructure and business processes, and most importantly, business needs. Going further, to keep specific systems secure, a new approach is needed when protection is considered from the very beginning of the development. This secure by design approach will help businesses to achieve Cyber Immunity from most risks.
* These are additional findings from Kaspersky’s IT Security Risks survey. The survey included 4,303 interviews with businesses of more than 50 employees across 31 countries and was conducted in May-June 2021.