Can You Save Money by Spending on Security?

May 23rd, 2017

When everything is running smoothly, cyber security can go unnoticed by executives. It’s only when things go wrong that it tends to enter their peripherals. This often leads to inadequate budgeting or heavy cutbacks. Unfortunately, restricting security funds can result in incidents that cost companies many times more than what they would have spent on security measures.

Because of this, security can be seen as an investment that often has a high ROI, as long as it is applied strategically and intelligently. Although no amount of money and infrastructure can make your systems 100% secure, the right measures can still help to boost a company’s bottom line.


A well thought-out security plan is a balancing act between the costs of implementation and the potential damage of a breach. Sure, your company could invest in complex security measures, but is it justified by the risks you face?

In some situations–such as healthcare–highly advanced security is a necessity. Other businesses may be able to justify a lower level of security, particularly if they operate at a smaller scale and don’t handle sensitive data. Security needs will vary depending on industry and the individual business model, according to both the relevant regulations and the risk profile.

How Much Will Security Incidents Cost You?

Balancing the cost of security measures against the cost of cyber incidents can be incredibly difficult. This is due to the complexity of analyzing and quantifying risks, as well as issues with calculating the total costs of an incident. How can you quantify the damage to your brand reputation after a serious data breach?

To figure out just how much you should spend on your security, it is best to have an understanding of how much money you face losing each year due to cyber incidents. This can be calculated by multiplying the average cost per incident by the estimated number of occurrences each year.

Finding the cost per incident is a challenge because there are many factors involved. It will depend on the size and scale of the breach, as well as the type of data that has been compromised. The costs can include compliance penalties, legal fees, downtime, damage to a brand’s reputation and also remediation.

The total cost can vary depending on the scale of your business, your industry and also your business model. Estimates range widely, with a Kaspersky Lab study stating that the average loss for SMEs is $38,000. A survey between the UK Government and PwC put the cost at between $112,000 and $466,200 for SMEs, while the Ponemon Intitute’s 2016 Cost of Data Breach Study put costs at between $145 and $158 per stolen record. This was up to $355 for records that contained healthcare information.

Cybercrime is expected to continue growing over the next several years. Juniper Research estimates that it will have global costs of $2.1 trillion by 2019. Finance, healthcare and government are among the sectors with the highest incident rate, although companies in other areas face mounting threats as well.

How Much Should You Spend on Security?

As with all business spending, cyber security budgets are intended to boost the bottom line. While some security measures may reduce the risks that your business faces, they may also cost too much to justify.

There are several methods to help you calculate an adequate security budget, however there are large variations in the individual needs of each business and its risk profile. The Gordon-Loeb model posits that a company’s security investment should be no more than 37% of expected losses from a cyber incident.

A study from Gartner estimates that businesses currently spend about 5% of their IT budget on security. This figure is quickly rising as business services continue to move online, with organizations increasing their information security funding by 24% in 2016.

A Ponemon report showed that the average US company with 1,000 or more employees is spending $15 million each year against cybercrime. It needs to be noted that these figures also include the costs of recovery from attacks, rather than just the money the businesses are putting into their security. Smaller businesses will obviously be spending significantly less money to deal with cyber incidents.

Investing in the Right Kind of Security

Where the money is spent is far more important than the dollar value of your security spending. A poor security plan will not be able to keep your business safe, no matter how much of your budget you throw at it. Each business will have different needs, so it is important to do a thorough analysis of the risks your company faces.

This analysis can be used to come up with a comprehensive security plan, with adequate protections in place to justify your unique risks. To maximize your security investments, it is important not to engage in security for security’s sake, but to take measures that work towards reducing the threat level.

One of the biggest decisions will be whether to take care of your security in-house or to outsource it to professional firms. Smaller companies may find it more cost-effective to outsource much of their security need, while larger companies may also find benefits in using specialists. Using cloud services may be another way that businesses can outsource some of their security responsibilities.

If your business needs a complete security overhaul, the first step should be a thorough audit. From here, you can evaluate what is necessary for an effective security program. A Ponemon study on larger businesses revealed that the technologies with the highest return on investment included security intelligence systems, encryption, firewalls, risk and compliance tools, automated policy management tools, as well as data loss prevention tools.

Additional factors that helped to save money included IT governance, employee education, having expert security professionals and using security metrics effectively. Although cyber insurance may not be a security measure, it is definitely a worthwhile consideration that could help your business recover from worst-case scenarios.

Make Sure Your Security Measures Are Current

The threat landscape in the online world is constantly changing and your organization needs to evolve alongside it. Even if you implement comprehensive security practices, they can quickly become ineffective if you neglect maintenance, updates and upgrades.

It is best to have your security plan headed by professional engineers who are knowledgeable about the latest threats. They can use their skills and expertise to keep your systems secure by running the latest software, looking for vulnerabilities, monitoring for attacks and running patches when necessary.

Keeping your systems secure isn’t a one-off endeavor, but a continuous and dynamic process. While it may seem complex and expensive, the overall goal is to save your business money by employing the right skills and technologies to reduce the risk of cyber incidents.

Cyber security is a lot like staying healthy – it’s much cheaper to prevent illnesses through living well than to cure them. Some people assume they won’t get sick and some companies assume they won’t be the next victim. This attitude doesn’t help, because when it does happen, the effects are devastating.

Keep your company healthy and invest in the appropriate preventative measures. The odds are that they’ll save you in the long run.