September 19, 2017 by Canadian Underwriter
The cost of a cyberattack for large enterprises in North America is US$1.3 million, up from US$1.2 million in 2016, according to a new report from cybersecurity company Kaspersky Lab and market research firm B2B International.
The report, titled IT Security: cost-center or strategic investment? and released on Tuesday, is based on a survey of more than 5,000 businesses across 30 countries, Kaspersky noted in a press release. While the average cost of a cyberattack was US$1.3 million for larger companies, the total impact of a data breach in North America now amounts to $117,000 per incident for small- and medium-sized businesses (SMBs).
But businesses are starting to view IT security as a strategic investment and the share of budgets spend on IT security is growing, reaching 18% compared to 16% in 2016. “This pattern is consistent across very small businesses as well as small and medium-sized businesses,” the release added. In 2016, the main reason businesses in North America wanted to increase IT security budgets was due to new business activities/expansion, but this year the increased complexity of IT infrastructure is driving budget increases.
However, while security appears to be receiving a larger proportion of the IT budget pie, the pie itself is getting smaller. For example, the average IT security budget for enterprises globally dropped from US$25.5 million last year to US$13.7 million in 2017. “This is a concern for businesses, especially given the fact that – unlike IT security budgets – security breaches aren’t getting cheaper to recover from,” Kaspersky said in the release.
In North America, the top financial loss when a data breach occurs stems from additional staff wages need for enterprises (US$207,000), compared to loss of business (US$21,000) and having to employ external professionals (US$21,000) for SMBs.
Additionally, the most costly cybersecurity threats to businesses are the physical loss of devices or media containing data. For SMBs, the most costly threat is targetted attacks.
“While cybersecurity incidents involving third parties prove to be harmful to businesses of all sizes, their financial impact on a company has the potential to result in twice as much damage,” said Alessio Aceti, head of enterprise business division at Kaspersky Lab, in the release. “This is because of a wider global challenge – with threats moving fast, but businesses and legislation changing slowly. When regulations like [the General Data Protection Regulation] become enforceable and catch up with businesses before they manage to update their policies, the fines for non-compliance will further add to the bill.”