Widespread Adoption of mainstream IOT in recent years, made it complicated to lock down IT systems and opened up several new avenues of typically dangerous penetration. While businesses are getting increasingly reliant on technology and internet presence, the time has been critical to reevaluate if economic strategy and budget has been sufficient to prevent and handle an IT security breach incident. A research jointly conducted by Kaspersky Lab and B2B International on over 4000 businesses sprayed across 25 countries shows that whilst IT security budget across companies is expected to see consistent growth over next few years however it still account for a very small proportion of overall IT budget. While business irrespective of their domain and size understand the criticality of increasing investment on application and information security only a very small fraction of them have precise idea of what is to be called sufficient. The study has shown a variety of budget choice spread in a wide range has been chosen by both micro businesses and small & medium businesses. While over 66% VSB has chosen to be capped at less than a thousand dollar budget, the upper 9% are spending in tens of thousands of dollars for their application, information and network security requirements.
Here is a snap of how businesses allocate their information security budget according to their size.
Note that while 68% of enterprise businesses have already raised their information security budget to over a million dollar, 14% still languishing under a budget of $250K . The surveyors attempted to know the reason behind such huge gap in budget allocation among enterprise companies where the businesses are expected to be aware about a grim consequence of a security breach. It has been found that over 50% of executive management finds it difficult to demonstrate the importance of investing in IT Security to their senior management. So even if it has been agreed that it is better to be safer than sorry, a decision on what is to be called sufficient could not be taken. Small and medium businesses also pointed towards technical difficulties and insufficient resources behind the delay in a better budget allocation.
The Wakeup Call
While the reluctance in spending has been wide spread, incidents of breaches has shown no mercy to raise the magnitude of shock they may cause to the businesses. According to the study in the past 12 months alone 21 % participant business experienced loss or exposure of data due to targeted attacks. Average direct cost of each attack was $143K USD for SMBs and over $1.4M for the enterprises. These figures excludes the loss occurred during the aftermath of an attack mostly because of damage in reputation or delay in reaching back to maximum productivity.
The situation has been grimmer for businesses having exposure to zero day vulnerabilities which caused over $2M loss per attack per enterprise businesses.
The below charts shows magnitude of direct financial impact different incident types caused to businesses
While allocation of a larger budget cannot guarantee pure survival from attack incidents, it is more important to have a relook to how budget is allocated. A perfect allocation will not only makes businesses more resistant to attacks but also let them minimize impact of breaches. While hiring a more efficient application and information security team is an option for enterprises, SMBs and startups can better optimize their application and information security budget by relying on managed application security service providers. A good vendor not only will reduce vulnerability of applications but also will assist in responding to breach incidents in a optimized manner to reduce the impact. With evolving challenges becoming harder to defend a perfect security partner for your web and mobile application will take you a step ahead in the bad days.