Survey finds that cyber security budgets are up; with additional investments being made in risk identification and resilience

Published: Friday, 12 July 2019 07:29

Companies worldwide expect to boost their cyber security investments by 34 percent in the next fiscal year, after raising them by 17 percent the previous year, according to a new study covering 467 firms across industries and based in 17 countries. About 12 percent of companies surveyed plan to bolster their cyber security investments by over 50 percent.

These increases come in the face of growing annual losses from cyber attacks, which for companies surveyed averaged $4.7 million in the last fiscal year—with more than one in ten firms losing over $10 million. That average loss equates to 0.114 percent of revenue across all firms surveyed. Losses are more severe for mid-sized companies than for large and very large companies, which have already taken greater action to secure their businesses.

Many executives believe that their cyber security investments are paying off. Firms report a decline in the impact from untrained staff, social engineers, and unsophisticated hackers over the last nine months.

ESI ThoughtLab’s survey shows that the impact of cyber attacks from malware, phishing, and mobile phone apps also decreased over that period. Yet the escalation in overall reported cyber losses highlights that cyber security is an ever-evolving struggle, as hackers target not just individual companies but whole industries, searching for any vulnerability.

Although the impact from certain types of attacks has fallen, the survey shows a rise in others, such as incursions through company supply chains and ecosystems.

“This is an example of what we call the ‘balloon effect’ in cyber security, where squeezing down on risks in one place causes others to appear elsewhere,” said Lou Celi, ESI ThoughtLab’s chief executive officer. “Thanks to improved cyber security, companies are more effectively mitigating risks from unintentional and less sophisticated threat actors, but more advanced adversaries are still finding a way in.”
The research shows that to combat evolving risks, companies need to take a proactive, multi-layered defense / defence, approach. Firms are responding by allocating the biggest share of their budgets to technology, while seeking the right balance between investments in people and process. They are also focusing more on risk identification to address emerging vulnerabilities and are investing more in resilience to ensure they can respond quickly to successful attacks.

Other calls to action from the study include:

Survey details

ESI ThoughtLab and WSJ Pro Cybersecurity carried out the survey in the spring of 2019 as part of a global research initiative titled The Cybersecurity Imperative. This survey is a follow-up to a more comprehensive survey of 1,300 companies conducted in the fall of 2018. The latest survey was developed to track how executives’ investments, plans, and perspectives have changed over the last nine months.

Download an executive summary of the results.

The Cybersecurity Imperative program was conducted with a coalition of leading organizations with expertise across the cyber security space, including Baker McKenzie, CyberCube, HP, KnowBe4, Opus, Protiviti, the Security Industry Association, and Willis Towers Watson.