Finance and budgets

The battle for business buy-in: Three ways to justify your IT security spend

Trying to persuade your board to increase investment in IT security? Here are three reasons to convince them.

Art by

Hurca!

Share article

it budget

Proving return on investment in IT security – an almost impossible task for IT professionals. Why? Because they’re often found trying to balance budget limitations, while constantly fighting to stay ahead of the evolving threat landscape to protect your business. But times are changing. Companies are starting to treat IT security as an important investment, rather than simply a cost-center.

That said, justifying IT cybersecurity investment is still a challenge. So, here are three reasons why it’s crucial for businesses to keep their cybersecurity strategy up to date, in terms of both budget and approach.

A cyberattack could cripple your business… seriously

It’s no secret: businesses of all sizes and industries are prioritizing cybersecurity spend. Enterprises now spend almost a third of their IT budget ($8.9M) on cybersecurity, and budgets are expected to rise over the next three years. Both small medium businesses (SMBs) and enterprises predict they will spend up to 15 percent more on cybersecurity until 2022.

Why? Because people are realizing that cybersecurity attacks can be devastating. Ransomware WannaCry stopped the production lines of five Renault factories, while a similar cyber-threat, exPetr, cost Maersk – the world’s largest container ship and supply company – between 200 and 300 million US dollars.

Along with threatening current business operations, cyber-threats impact future-focused initiatives. For example, digital transformation and operational mobility projects require organizations to operate a growing IT infrastructure, meaning they might lose sight of what’s happening to their data. Consequently, data could be compromised or even encrypted. The Zepto ransomware, which was spread via cloud storage apps, is a prime example of this threat in action.

The cost of dealing with cyberattacks is on the rise – especially when you take into account factors like hiring external consultants, acquiring new software, and dealing with PR risks and litigations, to name a few. With those costs rising and crucial business operations being put at risk, it’s no surprise that senior leaders are getting involved in the cybersecurity debate. But it’s not just their own infrastructure they have to think about.

2. Your supplier networks are a threat, even when your business is protected

it budgetBreaches can happen even if your business is protected. Sounds crazy, but it’s true. Normally breaches happen through supply chain attacks or as a result of vulnerabilities in third party software.

A case in point: American retailer Target. Hackers accessed the company’s network through its ventilation and air conditioning vendor, costing them $18.5m. This was followed by the Equifax breach; the company was hacked through a vulnerability in legitimate open source software – software in which anyone can view the code. The hackers gained access to their databases, stealing 145m accounts with crucial client data like names, social security numbers, dates of birth, addresses and even credit card numbers. Equinox had to pay around $700m to settle the breach. Ouch.

3. Protect your business data, wherever it is

Cloud services offer many benefits to businesses, from taking advantage of a more efficient mobile workforce, to reducing infrastructure costs and optimizing business operations. Our research shows that 73 percent of SMBs use at least one software as a service (SaaS) hosted business application, while 45 percent of enterprises have either already raised or are planning to grow their use of hybrid cloud in the next 12 months.

However, as businesses move more and more data to the cloud, it’s easy to lose track of what you’re transferring, or where it’s kept. Data ‘on the go’ that’s stored outside of the corporate data center – for example, in third party IT infrastructure – is presenting businesses with new security issues and new costs. The most expensive incidents in 2017 to 2018 related to cloud environments and data protection issues. For example, for SMBs, two-thirds of the most expensive cybersecurity incidents are related to the cloud and third party hosted IT infrastructure failures, resulting in an average loss of $179K. That’s why it’s so important to consider a dedicated level of cybersecurity when moving workloads to cloud platforms.

Cybersecurity needs to be a core function of IT infrastructure

For businesses of any size, cyberattacks are a risk – many companies today deal with third party contractors, cloud infrastructure and a growing amount of sensitive customer and business data. To reach the right level of cybersecurity, it needs to be a core part of the IT infrastructure.

When cybersecurity is a core function, solutions can then be put in place, meaning physical and virtual machines, containers, operating systems and cloud systems can be protected in a flexible way. This is particularly necessary when dealing with visibility on hybrid cloud infrastructure – or cloud systems where multiple parties have access.

Last but not least: businesses have to realize their responsibility for data that’s stored in cloud applications and platforms. A false sense of safety and relying on providers to ensure security can be extremely costly. Your data is your responsibility so invest in keeping it under lock and key.

Article published in 2019, statistics correct at time of publishing.

Calculate your security profile

Use the Kaspersky calculator to see what your industry peers are spending on IT security, what threats they face, and how your business could avoid being compromised.

About authors

Evgeniya Naumova is Executive VP of Corporate Business and Deputy CBDO, Commercial at Kaspersky, responsible for business strategy and sales growth within the region. She holds a PhD in economic science and has written many articles in the media about the development of intellectual potential in industrial enterprises.