Five trends businesses need to consider when planning 2022 cybersecurity budgets
The end of the year means that, unlike the weather outside, it's a hot time to take stock and plan budgets for next year. Whilst the pandemic continues with no end in sight, companies will still need to factor in its ongoing impact: remote working to some extent remains, as does the economic aftermath of the COVID-19 crisis.
To help businesses prioritize when planning budgets for next year, Evgeniya Naumova, Executive VP, Corporate Business at Kaspersky has drawn on several observations from our recent research into the economics of cybersecurity.
- Last year, budgets shrank but it won’t be forever
Cybersecurity budgets for 2021 were planned at the end of 2020 – in the midst of the pandemic. Therefore, many companies seemed to proceed with caution. As a result, the average cybersecurity budget for 2021 remained virtually unchanged for small companies: $267,000, compared to $275,000 in the previous year. But in large corporations, the allocation decreased – from $14 million in 2020 to $11.4 million in 2021.
However, since spring 2021, analysts have been publishing optimistic forecasts about the growth of the IT and information security market: Gartner predicts an 8.4% growth in overall global IT spending in 2021. IDC also forecasts strong growth in IT security spending in regions such as Europe and Asia Pacific.
With continued innovation, digitalization of products and enhanced business processes, organizations will definitely need to prioritize cybersecurity investments. But demands may change significantly because of these and other factors, which we will cover later in the text.
- The financial impact of cybersecurity breaches hasn’t increased significantly, but that doesn't mean we have defeated the cybercriminals
The financial impact of data breaches for SMBs grew slightly in 2021, but for enterprises it decreased by 15%. Nevertheless, this reduction shouldn’t be considered as cybercriminals’ resignation. The scale of the impact depends not only on the attack complexity but on the actions of the business too.
A data breach, for example, can lead to direct losses including business loss or fines. Further financial impacts also depend on whether a breach has been disclosed to the public. In this case, a company normally has to spend more on additional PR support or on paying penalties, fines, and compensation. As such, the average cost of a data breach for an enterprise that doesn’t disclose the incident is $827,000. However, if the breach leaks to the press, the cost rises to $1.2 million. This year, fewer companies disclosed cases of a data breach.
Significant cybersecurity investment in response to previous data breaches – such as improvements in software and IT infrastructure or training for employees – will also have borne fruits this year. We see this, for example, in the positive dynamic of threat detection and response speed. Our research suggests that every year, organizations are discovering data breaches more quickly. In 2016, only 15% of SMBs and 14% of large companies had systems in place that alerted them to attacks and allowed immediate or swift response to an incident within a few hours. In 2021, this figure sits at 27%.
- Increased cloud adoption demands dedicated protection
Our year-on-year research has shown that, with the onset of the pandemic, companies have increased their use of cloud services. In 2019, 72% used some kind of cloud – public, private, and virtual desktop infrastructure (VDI). In 2020-2021, this figure increased to 88%.
This shift has resulted in changing needs for cloud infrastructure protection. Security projects created in previous years were designed for on-premises infrastructure, meaning they may no longer be relevant for organizations migrating to the cloud. Customers need to formulate protection requirements based on their current infrastructure. This demands a new dedicated package of cybersecurity solutions, including specific areas such as protection of containers, or identity in the cloud, and also the tools for complex threat detection and response in environments with multiple clouds.
- For complex threat protection, visibility is crucial
The task of IT and IT security is not only to protect the infrastructure from intrusion, but also to make it effective and not limiting to business processes, no matter how fast the IT infrastructure changes. Remote work and digitalization of a company's processes and products have made securing such a complex infrastructure the second biggest headache for companies – after data protection. One of the reasons is that the more complex the system, the more difficult it is to keep track of what is happening. For two out of five companies (41%), this is the biggest problem when dealing with complex attacks.
In fact, for many companies such a complex environment becomes the number one reason for additional investments. A sophisticated attack often consists of a combination of legitimate-like and hard to detect tactics. Another problem is that an enormous number of alerts generated by various security solutions makes it difficult for analysts to prioritize incidents and see the correlations between an adversary’s actions. There is a need for automated detection and response that can simultaneously not only detect multiple minor signs of attack, but also correlate them with each other and external threat data. That will ensure an efficient alert triage and reveal the real advanced attack, for further escalation to incident response teams.
- Need for expertise drives outsourcing and changes in budgeting
While the need for a skilled workforce and expertise is nothing new, this year we saw it become a major motivator for the first time to outsource cybersecurity. With rapid adoption of new technologies and change in work patterns, combined with the exponential growth of IT complexity, every second mid-sized and large enterprise (52% and 56%) that trusts security management to an MSP does so because they need highly skilled professionals.
When switching to outsourced companies, businesses may need to adjust their budget process accordingly, because this part of the budget will move from CapEx to OpEx: investments into hardware every few years will instead turn into a monthly-paid subscription.
We don’t know for sure what new challenges the next year will bring. Despite a natural human desire to play it safe, there is also a great opportunity for change and to make bold decisions. This applies to the budgeting process as well: the approach of ‘making it similar to last year’ won’t work anymore. Instead, risk evaluation and modeling should be done based on the most recent trends, changes happening in the corporate infrastructure and business processes, and most importantly, business needs. Going further, to keep specific systems secure, a new approach is needed when protection is considered from the very beginning of the development. This secure by design approach will help businesses to achieve Cyber Immunity from most risks.