Shrinking cyber budgets are leaving businesses at risk

The cyber budgets of enterprises rose by less than 1% during the pandemic, according to their cyber budget holders. This left cyber spend stagnating at an average of around £18 million ($24.9 million) for the 2021 financial year. This is despite the fact that 61% reported having suffered a major cyber incident in the past three years.

50% of organizations either ‘hit pause’ or decreased their cyber budgets during the pandemic. Now, IT leaders expect to increase their cyber budget by an average of 8.4% in the next twelve months, taking the average budget to £19.9 million ($27 million). But taking into account inflation, which is currently 3%, this still may not be enough to make up for lost time during the pandemic. If this trend continues, a cyber spending ‘deficit’ will emerge that makes businesses more vulnerable to cyber incidents, as attacks become more frequent and more sophisticated.

Decreased cyber budgets caused by a lack of confidence in how to spend them

The problem is compounded by a lack of confidence among business and IT decision makers in how they spend their cyber budgets:

• 41% said their organization needed a better understanding of how to prioritise areas for cyber investment.
• 50% reported they had a cyber strategy but had not been able to fully implement it – meaning that cyber investments are not realising their full potential.

“Businesses need to act now to lock in their cyber spending for next year,” said Jamie Smith, Head of Cyber Security at S-RM. “The readiness with which we saw businesses pull back their budgets during the pandemic is concerning. Next year’s cyber budgets cannot be futureproofed against all forms of disruption, but there are trends business leaders should watch closely.

“A major one is the rising cost of cyber insurance – premiums are going up. This is because cyberattacks are becoming more frequent. What’s more, insurers are looking to reduce the risk they take on when they provide cyber policies. As a result, insurers want companies to prove how cyber resilient they are before providing cover.”

“Cyber budgets have stagnated at a time when the cost of cybercrime and frequency of attacks is increasing at an alarming rate. The average immediate damage of a cyber incident is in the region of £1.3 million ($1.8 million). But the secondary costs like higher insurance premiums and recovery services can more than double this.”

“Businesses have been failing to keep pace, and if they don’t commit to strategic investment in their cyber security, they risk serious financial and reputational damage.”

Cyber confidence comes from the top

The analysis, developed by S-RM, will guide organizations who are looking to utilise their cyber spend more effectively. It also found a clear correlation in the data which suggests that cyber confidence comes from the top.

Businesses with boards who had a highly proactive approach to cyber security were more likely to say they are investing cyber budget in all the right places (79%) compared to those whose boards are not totally proactive and do not experience proactive support from the top (45%).