On average, a single cybersecurity incident now costs large businesses $861,000, while small and medium businesses (SMB) end up paying $86,500. Most alarmingly, the cost of recovery significantly increases depending on the time of discovery. SMBs tend to pay 44 per cent more to recover from an attack discovered a week or more after the initial breach, compared to attacks spotted within one day. Enterprises pay a 27 per cent premium in the same circumstances. These are among findings of It security product firm Kaspersky Lab’s report “Measuring the Financial Impact of IT Security on Businesses” based on its 2016 Corporate IT Security Risks survey.
In the 2016 survey, Kaspersky Lab, for the first time, compared an organisation’s security budget to losses incurred from serious incidents. Overall, businesses expect IT security budgets to grow at least 14 per cent over the next three years, due to the increased complexity of IT infrastructure. A typical small businesses currently spends 18 per cent of their total IT budget on security, whereas enterprises allocate 21 per cent. The research shows a significant disparity between businesses of differing sizes, with annual security budget varying from just $1,000 for very small businesses to more than one million US dollars for large companies.
To estimate the total cost of recovery, Kaspersky Lab and B2B International asked businesses to report their losses from the most serious security incident in different categories. Although the most frequent cost is for additional staff wages, businesses reported significant spending due to lost business opportunities, improvement in IT security, employing external specialists and hiring new staff. Enterprises spend $79K on training and $85K on requesting help from external experts –19 per cent of the total loss.
Vladimir Zapolyansky, Head of SMB Marketing, Kaspersky Lab, said: “Based on our worldwide survey, the average IT Security budget is ‘worth’ just 2.5 cyber-attacks once all direct and indirect losses are taken into account. With the corporate world dealing with thousands of attacks on a daily basis, an efficient cybersecurity strategy definitely pays off. Businesses understand the threat clearly; 59 per cent of SMBs and 62 per cent of enterprises say they will improve their security regardless of the ability to measure return.
“However, the survey proves that reaction time post-breach has a direct impact on financial losses. This is something that cannot be remedied via budget increases. It requires talent, intelligence and an agile attitude towards protecting one’s business. As a security vendor, our goal is to provide tools and intelligence for businesses of all sizes, whilst keeping in mind the difference in ability to allocate security budgets.”
