3WaySecure Consulting

How much should you be spending on cyber security?

As cyber-attacks evolve, it is critical for businesses to smartly invest in cyber security. Determining a cybersecurity budget is a challenging task. This article will explore how proactive cybersecurity can maximize profits, three critical areas of cybersecurity worth considering for investment, and three recommendations for cybersecurity budgets.

How proactive cybersecurity can maximize profits

Proactive cybersecurity is about identifying and addressing security risks before an attack occurs. It focuses on prevention. If an organization takes action after the attack has taken place, the damage could be much more than expected. According to IBM’s Cost of a Data Breach Report 2021, losses from data breaches rose to $4.24 million, up 10 percent from 2020. The report indicates that the average cost of data breaches related to remote work was $1.07 million. This is higher than those not related to remote work.

Organizations now realize that no business is immune to cybercrime. So rather than wait, it is cheaper to prevent cyberattacks. Preventing an attack is better than repairing your network after it has happened. Investigation and incident response are time-consuming and expensive. Proactive cybersecurity can reduce investigation and incident response costs. According to the IBM report, the detection of a cybersecurity breach in 2021 was 212 days. It took another 75 days to contain the breach. So, it is conceivable that an organization needs to invest significantly to remediate a breach.

Proactive cybersecurity can help businesses identify and fix undetected vulnerabilities through penetration testing before an event occurs or constantly scan for system errors and malware intrusions through comprehensive monitoring so they can be notified when problems arise. Through proactive cyber security, the resources invested in investigation and incident response can be reduced.

Three critical areas of cybersecurity budgets worth considering for investment

As with any budget, it is essential to identify areas worth investing for an organization’s cybersecurity program. We will focus on three areas worth considering.

a) Risk Management

Risk management entails involvement of personnel at all levels, right from the executive management to the part-time staff or technician, and is a key area to spend the budget. Risk management in an organization can be achieved by implementing a framework, such as NIST Framework for Improving Critical Infrastructure Security. Identifying and managing an organization’s risk on a continuous basis is an important and crucial undertaking. This is achieved by performing periodical risk assessments. Risk assessment involves identifying internal and external threats, their likelihood of occurrence and impact. Based on the combination of all inputs, the risk to the organization is determined. Risks targeting the organization must be managed in the order of priority, as businesses do not have an unlimited budget or personnel.

b) Employee training

Employee training is one of the steps organizations can take as proactive cybersecurity measures and is worth spending the allotted budget. According to Sophos’ The State of Ransomware 2021 report, the probability of an employee being attacked by ransomware increased in 2021. Meanwhile, egress research revealed that more than 83 percent of organizations suffered data breaches via email in 2020, 24 percent of which were caused by employees incorrectly sharing data. Therefore, employees are an important risk factor that organizations need to focus on. Furthermore, the responsibility of Cybersecurity must not be limited to the security team, it is a collective responsibility.

Any employee who has access to a work-related computer or mobile device should receive comprehensive cybersecurity awareness training, as attackers can target all. Employees should be trained to understand the latest network security situation, characteristics of various attacks, routine defense procedures, and corresponding security incident response plans. By providing network security awareness training to all employees, organizations can reduce the likelihood of financial losses, directly resulting from the lack of security awareness.

c) Network security solutions

Installing suitable network security solutions is an important area of budget spending. A robust network security will help to achieve operational and business continuity. It is essential to choose which security solutions or measures to spend your budget on. The investment of network security solutions in any organization must be proportionate to the risk the company’s network faces. Carefully evaluate the risks to your organization and the potential value of each network security solution, before making an investment decision.

Oftentimes, when there are limitations to the budget or talent with respect to network security for OT environments, a decision can be made to outsource some of those related functions. Considering whether to outsource the security function or deploy and manage network security solutions internally is a crucial investment choice. Such decisions must be made by leveraging all internal and external expertise available to the organization.

Three recommendations for cybersecurity budgets

a) Understand the services that need to be protected and why

For any organization, the most important priority is the achievement of its key business goals. Achieving key business goals translates to sustainable development of the business. In recent years, both large and small companies have realized the importance of cybersecurity. However, their approach to cybersecurity is sometimes adequate and sometimes not. This is because of lack of a clear understanding of what needs to be protected and their business criticality. It is imperative for all organization to understand what cyber security measures are appropriate for their business. For example, banks need to protect customers’ personal and financial information and protect customers’ assets from fraud. Medical institutions need to protect patient records to prevent identity theft. The manufacturing industry needs to make and sell goods for profit and protect its manufacturing processes and systems from attacks.

Without determining what cybersecurity measures are most important to the success of a company’s business, it may be difficult for any organization to allocate its cybersecurity budget properly. It is likely to waste resources on areas that may not be a priority. Therefore, all organizations need to focus on protecting operations critical to their business and related cybersecurity budget planning.

b) Align your expected expenses with potential losses

Businesses should not blindly follow general advice when determining reasonable cybersecurity spending. An adequate cybersecurity budget requires ensuring that businesses don’t spend more money protecting something that has less to lose. In other words, spending more on a particular security measure that has recently become popular does not mean an organization’s investment is better protected, because the organization may not need the security measure.

c) Take a holistic view

When considering allocating cybersecurity budgets, the organization needs to consider the talent, workflow, and proper tools for each project. As we all know, effective cyber security requires the cooperation of many aspects; good technology, good team, good use of tools and a good process. Those investments that help businesses achieve their goals through effective cybersecurity are worth the budget. This multifaceted budget allocation will help to promote the effectiveness of cyber security departments.


How much your organization should spend on cyber security is often not a clear-cut decision or answer. We need to understand that companies need to budget for cyber security based on their specific business needs and environment. By focusing on what is really important to their business, organizations can prioritize their cybersecurity spending which will help to maximize profits. As mentioned above, proactive cybersecurity can help businesses maximize profits, so whether your organization needs proactive cybersecurity is also an investment decision worth considering.

Recent Vulnerabilities

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

Get A Free Consultation

Learn more about our services and solutions to protect your business.