The cost of cybersecurity and how to budget for it

With the end of the year approaching, businesses are busy crunching the numbers for 2020. There are a lot of factors that go into building an annual budget, and small businesses are often left to juggle competing priorities for where to invest.

Cybersecurity is one priority, in particular, that is on just about everyone’s radar in some way, shape or form for 2020. With national news and anecdotes regularly featuring stories of cyberattacks to businesses of all sizes, small businesses are starting to wonder about the risks they face and whether they’re doing enough to protect themselves.

As with many core business functions, cybersecurity often requires a monetary investment and therefore needs space on your budget. The need for cybersecurity isn’t going away any time soon, it’s actually becoming more and more relevant for small businesses. That’s why it’s important to consider cybersecurity as a business, financial and practical priority in 2020. This article will discuss what you need to know about budgeting for cybersecurity, including:

• Why cybersecurity should be a part of your business – and your budget
• The potential cost of a data breach and the resulting ROI of a cybersecurity program
• How to decide how much to spend on cybersecurity
• How to maximize your investment to best protect your company

Put the calculator down and the thinking cap on. Here are a few thoughts worth considering as you plan and budget for the year ahead.

Why budget for cybersecurity?

Cybersecurity is an area that affects businesses of all sizes, including small businesses. In fact, about half of all cyberattacks target small businesses and 68% of small businesses have experienced a cyberattack in the last 12 months. In addition to simply protecting your company from the cost and disruption of a cyberattack, companies roll out cybersecurity programs for a variety of reasons:

• Pressure from their board of directors or other stakeholders demanding improved prioritization and employment of everyday cybersecurity practices
• Third-party cybersecurity risk assessments and other vendor requirements, which are becoming more prevalent across the board and increasingly a part of contractual considerations
• Compliance standards (e.g. GDPR, PCI, and HIPAA) and national or state regulations that legally require companies to maintain cybersecurity standards
• Need for a competitive advantage for large projects or contracts

Cybersecurity is a broad field, so defining specific goals and improvements can be helpful as you build your budget. We see small businesses investing in a few key areas to help with specific cybersecurity challenges:

• Risk assessment, business preparation and continuity, and incident response
• Training employees to be cyberdefenders, reducing the danger of phishing emails and other social engineering attempts
• Network and website vulnerability identification and management
• Regular scanning and testing, including dark web scanning and ethical hacking

Think your company doesn’t have a seemingly obvious challenge or external motivator for prioritizing cybersecurity? Think again and consider an assessment to see just where you stand. In today’s world and modern criminal landscape, all companies are at risk of a damaging and disruptive cyberattack. And it’s not just your company that could be affected: Your employees, customers, and any third parties you work with could see fallout from a cyberattack to your business. The only way to help prevent an attack is to strengthen your understanding, posture, and defenses, a process that merits investment for every small business.

How much does a data breach cost?

The costs stemming from a cyberattack can vary tremendously but are inarguably significant. Recent studies have shown that the average cost of a data breach to Small Business can range from $120,000 to $1.24 million. And that’s strictly limited to a small business market. Stepping outside the small business filter, IBM’s 2019 Cost of a Data Breach Report recently found that the average cost of a data breach was $3.92 million, and that breaches cost smaller businesses more relative to their size than large businesses.

It’s important to keep in mind that the true cost of a data breach isn’t always what it appears. Expenses can be spread out over time, with about a third of expenses coming after the first year following the breach. There are a wide variety of costs associated with a data breach, some of which are obvious and repairable, others of which are more ambiguous and/or irreparable.

For example, direct costs may include:

• Monetary theft
• Remediation and system repair
• Regulatory and compliance fines
• Legal and public relations fees
• Notification, identity theft repair and credit monitoring for affected parties
• Increase in insurance premium

Indirect costs may include:

• Business disruption and downtime
• Loss of business or customers
• Loss of intellectual property (IP)
• Damage to company credibility, brand and reputation

The IBM report also showed that key cybersecurity steps like incident response team and plan formation, encryption, employee training and cyberinsurance all helped to reduce the cost of a breach. So even if your company does experience an incident, cybersecurity can help mitigate the damage and reduce the cost. The concept of cyber resilience is gaining steam and something that deserves understanding and attention. Given the potential expense and negative impact of a data breach to a small business, any budget you can dedicate towards improving your company’s cybersecurity posture is money well spent.

 How much should you spend on cybersecurity?

As with any component of business, there are a lot of factors that influence how you build a cybersecurity budget. A few to consider are:

• Your industry and company size
• Compliance and regulation mandates affecting your business
• The sensitivity of the data you collect, use and share
• Requests from company stakeholders or customers

The actual amount companies spend on cybersecurity is often tied to their IT budget, which helps account for company size and IT infrastructure. Estimates of what companies currently pay vary, ranging from an additional 5.6% to up to 20% of the company’s total IT spend. For example, say a 40-person company pays $3,000 per month to an IT managed service provider to cover their IT needs. Their cybersecurity budget would come in somewhere between $168 and $600 per month – a significant, but not unattainable amount – and well worth it given the potential cost of a cyberattack.

That’s not to say that you have to spend a lot of money all at once. If you haven’t had a cybersecurity budget before, try working a small amount into your 2020 numbers. A little bit can go a long way; for a relatively small investment, you can take the important first step of a cybersecurity risk assessment, then begin chipping away at key improvements.

Your cybersecurity provider can often help you identify the highest priority – and lowest cost – items to tackle with your limited budget. From there, you can tailor your cybersecurity program and slowly grow your budget in the coming years to provide enhanced protection and help mitigate risks. Just make sure it’s just that: an ongoing program, not a one-time project.

Small businesses often operate on a tight budget, and in some cases, the person building and approving the budget may not know the value of cybersecurity. If you’re facing hesitation from leadership, stakeholders or the board of directors, performing a basic risk assessment can be a great way to show them where your company stands and how an investment could bolster protection. Leadership – whether the board, C-suite or company owner – has a responsibility to guide the company in the right direction, and that includes protecting the company from threats.

The bottom line

Cybersecurity is no longer a “nice to have” – it’s a “need to have” for business, and it needs to be a part of your business’s budget, too. However, it’s important to note that cybersecurity protection isn’t purely a function of money spent. A comprehensive cybersecurity program doesn’t have to cost a lot of money, but it does require prioritization and commitment from leadership, IT and employees.

On the flip side, no matter how much money a company dedicates to strengthening its cybersecurity posture, there’s no such thing as a guarantee of 100%, complete protection. A company’s best bet is to deploy a multifaceted, ongoing cybersecurity program using a combination of resources, training and time to help keep them cyber-strong and to potentially mitigate costs in the case of an incident.

At some point in the not-too-distant future, cybersecurity will be a standing line item on all business’s profit and loss sheet. Just like small businesses build a cost for their accounting software or building alarm system into their finances, they need to start including cybersecurity as a standard expense and business priority. The cost of a comprehensive cybersecurity program is a small price to pay for the peace of mind you’ll enjoy knowing your company is better protected.

This article was written by Andrew Rinaldi and originally appeared on business.com.