Cybersecurity has become a matter of great concern for governments, corporations, and SMEs across the globe. The reason is that these organizations collect and store sensitive information from their users that can be breached and accessed by hackers. Data breaches and other cyberattacks have become very common in the last couple of years with over 950 breaches taking place in 2018 alone so far.
The number of cyberattacks have increased the demand for advanced security products and mechanisms. Organizations from across the globe are now growing more aware of this threat and are in turn allocating greater resources and budget to cybersecurity for mitigating the risks. According to statistics shared by Statista, the global IT security spending in 2017 was $52.3 billion in 2017. Gartner predicts that this figure will reach $93 billion in 2018. These numbers show that companies are spending an increasing amount of resources to strengthen their IT security. However, even though these figures seem to be quite high, when you compare them against the revenue of the companies, this is only a very small percentage.
Bank of America’s $400 Million Cybersecurity Budget:
Brian Moynihan, the CEO of the Bank of America, had said in an interview that his company will be spending $400 Million per year (from 2015 onwards). This seems like a lot but when you compare it to the $89 billion revenue of the Bank of America, the cybersecurity budget is just 0.45% of their revenue. This is quite a small percentage for the security of one of the largest lenders in the United States.
Though there is no standard or rule of thumb for what percentage of a company’s revenue should be allocated towards cybersecurity, most enterprises spend a very small percentage of their revenue for IT security. Enterprises such as JP Morgan Chase and Bank of America, who proudly advertise their IT security budgets, still spend less than 1% of their revenue to protecting their data and systems. It is important to understand the cost-benefit analysis. Data breaches can cost a company up to billions of dollar in losses and to prevent these, a company has to take into account the IT security services that it needs to protect itself against modern cyberattacks.
IT Budget and Cybersecurity: As per Gartner’s forecast, the worldwide IT spending forecast for 2018 is $3.6 trillion. When we break this down further, an average company spends just 18% of its capital budget for IT spending, a percentage that has been continually declining since 2013.
Even though Computer Economics statistics suggest that companies have the highest spending priority for Security and Privacy, the percentage of the IT budget that companies spend on cybersecurity is still quite low. A study shows that 62% of consumer businesses spend between 4% – 8% of their annual IT budget on cybersecurity. If we boil this down to the company revenue, it translates to just 1.4% of the company revenue. According to a research commissioned by IBM, a company should ideally spend around 13.7% of their IT budget on cybersecurity. However, just 14% of organizations spend more than 10% of their allocated IT budget on security. This shows that companies allocate an inadequate percentage of their revenue for their IT security budget.
It is hard to determine an exact percentage of a company’s revenue that should be allocated to their IT security budget for protecting it against data breaches and cyberattacks. Even though the percentage varies according to the company’s industry and revenue among other factors, most companies generally underspend on cybersecurity as we can see from the statistics. When we consider the fact that basic email protection and other common security mechanisms can cost a small business (of under 50 users) up to thousands of dollars per year, we can conclude that organizations need to adequately allocate resources for their cybersecurity to protect themselves from losses and fines.