• Your shield in Cyber Security

How much should you spend on Cybersecurity?

Paul A. Watters – Ionize
and Simon Brown

It’s a question that is asked time and time again, and it may well be the most important commercial question in relation to cybersecurity investment: how much should I be spending on cybersecurity? As with the answer to most questions, this needs to be broken down into a number of sub-questions, some of which are easier to answer than others. Rather than offering a simple answer to a complex problem, we analyse the question as follows:

  • Should you follow a fixed percentage guideline of revenue? Or profit? It depends on whether you are trying to protect profits or revenue. As always, we would advocate a risk-based approach – if cyber threats affect your revenue, eg, by denying service to your customers, then calculate a budget as a percentage of revenue. On the other hands, if you have stable revenue but variable costs that reduce profits, eg, by having to pay ransoms, then calculate as a percentage of profit.
  • Is your financial management approach traditional or modern? Is this dictated by business practices, eg, an agile, high growth business, or by a regulator, eg, banks and financial services companies?
  • Are some risks worth spending a fixed cost against to prevent cyber incidents, eg, endpoint protections, or should investment be weighted towards response which may have variable costs, eg, third party incident response?
  • Is it worth investing anything at all if the potential consequences are low or negligible? Or to put another way, do you know what your “crown jewels” are, versus systems, networks and data that are peripheral and not worth protecting?
  • Is it worth investing anything at all if the potential consequences are low or negligible? Or to put another way, do you know what your “crown jewels” are, versus systems, networks and data that are peripheral and not worth protecting? o $10m for critical infrastructure o $14m for financial services o $8m for government entities o $16m for industrials The difference between the smallest entities and the largest was considerable, ranging between $2m and $65m. As a percentage of overall IT budgets, the average was 7.5%. Internationally, Prosegur[2] report an average 10%, suggesting that Australian entities are still underinvesting in cybersecurity.
  • What percentage of revenue should be spent on ICT, will then determine the percentage spent on cybersecurity. Computer Economics published data in 2019 across 25 industry sectors, but the summary (as a percentage of revenue) was as follows, using the 25th, 50th and 75th percentiles: o Manufacturing: 1.4, 2.3, 3.2% o Financial Services: 4.4, 7.9, 11.4% o High Tech: 2.6, 3.65, 4.7% o Retail: 1.2, 2.1, 3.0% o Health Care: 3.0, 4.45, 5.9% The average across all sectors at the 50th percentile was 2.5% of revenue. So in the Australian context, cybersecurity budgets should be roughly 2.5% of 7.5% of revenue. For a $100m company, this suggests a budget of only $187,500. Given that the average salary for even a single cyber analyst in Melbourne is $128,778 (with 35% on-costs, this rises to $173,850), it seems obvious that adopting an average of averages approach would not even begin to address the resourcing needed for an internal cyber team. If you really want to break down cybersecurity costs further, Cynet have developed a very detailed budget template which is freely available[3]. Does this mean that Australian entities are likely underinvesting in cybersecurity on average? We believe that this simple exercise indicates that this may be the case. However, it’s also important to note that not all companies – even with $100m revenue – may need full-time cybersecurity staff. Using a Managed Security Service Provider (MSSP), for example, may be one way to access a broad range of services on an “as needed” basis, which could prove cost effective. RSI[4] suggest that an MSSP budgets per user range from US$99-250 per month, or A$141-357. As an average, this conveniently works out at $A249 per month, or $2,988 per annum. Taking our budget of $187,500, the implies that something on the order of 62.75 could be supported by an MSSP. Multiplying out the ABS data on SMEs (50 employees or $25m revenue), a $100m company may employ something on the order of 200 people[5]. So while the average case of 62.75 employees on the highest package seems expensive, in fact, the cheapest case is quite close: $141 per month would cover 98.99 employees. Can we then conclude that Australian business should be doubling their cybersecurity spend, even using the cheapest case? It’s hard to draw such a broad conclusion from some simple numerical modelling. Yet it is also true that some Australian entities are repeatedly attacked, while others seem to be better able to defend and prevent. This is almost certainly a function of overall investment, but also investment in the right categories. Further research is required to fully prove the case for cybersecurity investment to protect both revenue and profits. It’s important to note that Boards an executives must manage a number of competing demands when devising budgets, and not just cyber budgets – every dollar spent on cybersecurity controls may be perceived as reducing profits and shareholder returns. In the current market, Boards may be willing to tolerate higher levels of cyber risk, to maximise profits. At the end of the day, a good CISO will be able to amplify and clarify which elements of cybersecurity spend will have the greatest impact within a given context.

 

Additional Resources

CISO Lens Benchmark: https://www.cisolens.com/benchmark

Prosegur Cyber Budget Report: https://cipher.com/blog/three-approaches-to-setting-cyber-security-budgets/

Cynet Cyber Budget Template: https://go.cynet.com/the-ultimate-security-budget-template

RSI MSSP Budgeting: https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/#:~:text=When%20looking%20for%20a%20managed,dollars%20per%20user%20per%20month.

 

[1] https://www.cisolens.com/benchmark

[2] https://cipher.com/blog/three-approaches-to-setting-cyber-security-budgets/

[3] https://go.cynet.com/the-ultimate-security-budget-template

[4] https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/#:~:text=When%20looking%20for%20a%20managed,dollars%20per%20user%20per%20month.

[5] https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/pubs/rp/rp1819/SmallBusinessSector

 

Stay Up to Date

Latest News

IDENTITY THEFT – Consumer Support

Paul Watters – Ionize

 
 

The Optus data breach has shown just how exposed everyday Australians are to identity theft. The prospect of millions of customer records – including such sensitive information as driver’s license and passport numbers, security questions, birthdates and so on – falling into the wrong hands exposes the weaknesses in the way our corporate information systems are designed and managed. Note that there is nothing unusual or particular to Optus in these comments – every company you deal with is capturing and storing your information in a way that makes it easy for them to service your needs. You do this every day – banking, insurance, superannuation, even online shopping – your personal data needs to be shared in order for you to function in today’s society.

While you can do a lot to prevent identity theft – such as checking privacy statements, only sharing information where and when you should, and so on – the Optus case clearly shows that data breaches are inevitable. So what can YOU do to respond? In cybersecurity terms, we would say protect yourself as much as you can, but accept the “residual risk” of a data breach, and make sure you respond. Here’s our step-by-step guide to support you:

 

1. Check if your passwords have been compromised: check haveibeenpwned.com regularly to see if your passwords have been shared in a data breach, or are for sale on the black market. Generate complex passwords where you can, and use a password manager to store them.

 

2. Monitor your credit score(s): by law in Australia, you have the right to check your credit score. Equifax.com.au and others provide free credit report checking which won’t affect your right to apply for credit in the future. Credit agencies keep track of when people apply for loans, so this will be the first indicator that someone may be trying to take out credit in your name. If you find mistakes or errors, or don’t recognise a check, you can ask that the records be removed. This is one of the most serious issues for consumers – a data breach and an attacker repeatedly trying to get credit in your name could stop you from getting a home or car loan.

 

3. Block credit applications: using an app like Credit Savvy will block all applications for credit in your name for 21 days. DO THIS NOW if you are an Optus customer. This will give you breathing space to make any necessary changes (such as passwords) that may prevent data breaches. Every 21 days, you can request a further extension. Unless you plan to apply for credit, keep this door shut at all times.

 

4. Monitor SMS and authentication codes: if you see a suspicious text or authentication message asking for access, this may indicate that someone has accessed one of your accounts and is trying to get authenticated using “two factor” authentication. With two factor authentication, you can only gain access by using both a password and a one time code sent to your phone or an app. Didn’t request a login? Then don’t authenticate, and make sure you contact the company whose service is being targeted.

 

5. If your data is breached: you can’t change your date of birth, but anything you can change – such as a mobile phone number that is used to receive authentication codes, or a driver’s license number – should be changed if you know that your data has been breached. While doing this may be costly and time consuming, you need to make sure that criminals can’t do much damage to your financial health and wellbeing.

 

Last words

As we say in the industry, the real cost of security is eternal vigilance – expect an attack, be prepared to respond, and you can minimise any damage or losses.

 

Further Reading

Ten High Impact Things You Can Do To Improve Cyber Security

Stay Up to Date

Latest News