How Much Money Should You Invest in Preventive Cybersecurity?

It’s a difficult question that many companies and organizations ask themselves, “How much is enough?” One of the aspects that makes it so difficult to set a budget and obtain funding for preventative cybersecurity is that many companies don’t really know the costs they’ll be facing if they’re victims of a cyber breach. By contrast, organizations can readily make risk-based investments in related areas like information security by basing them on the GDPR fine amount (up to 4%).

  • Insight

Calculate a cybersecurity budget

Many companies haven’t done their homework to calculate how much a cyber breach will actually cost. A serious breach can result in 21 days without any IT capability for an organization. What impact would that have on your business?

According to Radar, one out of every ten kronor spent on IT should be invested in preventive cybersecurity. Many companies are nowhere near that number. However, we’re certain we’ll see a change related to monetary investment in this area in the next few years. An interesting parallel is to look at the cost of cybersecurity insurance over the past few years. It’s common knowledge that there’s been a substantial increase in the yearly premiums; however, there have also been changes for the worse when it comes to the terms of the insurance. For obvious reasons, insurance companies are involved in many more cyber breaches than other companies. Consequently, their insurance premiums are based on their analysis and forecast of cyber breach trends in the coming years. Perhaps organizations should consider following insurance companies’ increases in premiums and correlate them to their investments in preventive cybersecurity.

Reduce the potential cost of a cyber attack

It’s statistically shown that investing in your cyber resilience can reduce the total cost of a breach by up to 60%. There’s no such thing as a bullet proof cyber defense, but there are many levels of prevention that an organization can invest in to ensure that the impact is minimized as much as possible in the event of a breach.

According to Radar, 33% of the companies in their study had a budget for cybersecurity in 2021. In 2022, that number had increased to 90%. However, only 35% of the companies can match the one out of every ten kronor spent on IT investment recommendation.

Emerging Well-Funded Threat Actors

Groups of threat actors have adapted. Sophisticated organizations now produce encryption programs and scripts as a service, selling products to smaller groups. The risk of being caught is low, and the rewards can be significant. The scalability of the business model has enabled groups to grow and attract talent.

All this means we’re living in an environment where well-funded threat actors regularly employ new technologies to bypass security systems, making it harder than ever to maintain a truly secure infrastructure.

Building Resilience to Cyber Attacks

We often meet businesses using state-of-the-art technologies that aren’t kept up to date. The issue is symbolic of a broader habit of relying on technology without carrying out the processes that need to be combined with it. It used to be okay to perform updates once a month or so, but nowadays, you can’t give threat actors that much time.

Having the right processes in place also applies to detecting threat actors if they gain access to your systems. One of the quickest steps toward achieving a robust resilience to cyber attacks is bolstering detection capabilities, particularly while an organization is working to increase its cybersecurity capability in other areas.

See Results from the First “Krona” Invested

Our approach and recommendation are that even if you initiate an extensive “Security Enhancement Program” or something similar, you should demand results from the first krona (or dollar) you invest. Of course, some things will take time, possibly years, to establish. But why start with the things that will enhance your security posture only after one or two years? The threat actors today don’t care if you’ll have control of your assets in one or two years. So, start with the things that make a difference now. For example, you can implement a tiering model, discover whether your backups can be manipulated, know what you have exposed to the internet, ensure your current cybersecurity investments are configured in the best way possible, and more. And, of course, ensure you have a partner with the experience to know what’s needed and what actually works.