With the end of the year approaching, many companies will look ahead and begin to plan budgets for next year. Now more than ever, planning budgets in advance has become a challenge as the pandemic continues to be an uncertain factor that companies have to consider. Will employees still be inclined to participate in remote work, and how will sales fare due to the economic aftermath of the COVID-19 crisis?
To help businesses understand the best ways to plan budgets for next year, recent research shows the following five areas will be important to consider.
1. Budgets declined in 2021, but that won't continue to be the case
Cybersecurity budgets for 2021 were planned at the end of 2020, a very uncertain time for businesses due to the pandemic. Therefore, many companies seemed to proceed with caution when it came to setting budget expectations. As a result, the average cybersecurity budget for 2021 remained virtually unchanged for small companies at $267,000, compared to $275,000 in the previous year. In large corporations, the allocation decreased from $14 million in 2020 to $11.4 million in 2021.
However, since spring 2021, analysts have been publishing optimistic forecasts about the growth of the IT and information security market. Gartner predicts an 8.4% growth in overall global IT spending in 2021, and IDC also forecasts strong growth in IT security spending in regions such as Europe and Asia Pacific. These positive predications are coming at an important time as innovation, digitalization of products and enhanced business processes are on the rise making it important for organizations to prioritize cybersecurity investments.
2. Cybercriminals are still at large despite the seemingly steady financial impacts of attacks
The financial impact of data breaches for SMBs grew slightly in 2021, however for enterprises it decreased by 15%. Nevertheless, this shouldn't be considered as cybercriminals backing down as the scale of the impact depends not only on the complexity of the attack, but also on how the business responds.
For example, a data breach can lead to direct losses including business loss or fines. Further financial impacts also depend on whether a breach has been disclosed to the public. In this case, a company normally has to spend more on additional public relations support or on paying penalties, fines and compensation. As such, the average cost of a data breach for an enterprise that doesn't disclose the incident is $827,000. However, if the breach leaks to the press, the cost rises to $1.2 million. As it happens, fewer companies disclosed cases of a data breach this year.
Significant cybersecurity investment in incident response to data breaches, such as improvements in software and IT infrastructure or training for employees, was also substantial this year. This is clear from the positive dynamic of threat detection and response speed, with research suggesting that organizations are discovering data breaches more quickly each year. In 2016, only 15% of SMBs and 14% of enterprise companies had systems in place that alerted them to attacks and allowed immediate or swift response to an incident within a few hours. In 2021, this figure has grown to 27%.
3. Increased cloud adoption demands dedicated protection
Year-over-year research has shown that, with the onset of the pandemic, companies have increased their use of cloud services. In 2019, 72% of businesses reported that they used some kind of cloud service whether it be public, private, or virtual desktop infrastructure (VDI). In 2020-2021, this figure increased to 88%.
This shift has resulted in the changing needs for cloud infrastructure protection. Security projects created in previous years were designed for on-premises infrastructure, meaning they may no longer be relevant for organizations migrating to the cloud. Customers need to formulate protection requirements based on their current infrastructure. This demands a new dedicated package of cybersecurity solutions, including specific areas such as protection of containers, or identity in the cloud and also the tools for complex threat detection and response in environments with multiple clouds.
4. For complex threat protection, visibility is crucial
The task of IT and IT security is not only to protect the infrastructure from intrusion, but also to make it effective and not limiting to business processes, no matter how fast the IT infrastructure changes. Remote work and digitalization of a company's processes and products have made securing such a complex infrastructure the second biggest headache for companies only after data protection. One of the reasons is that the more complex the system, the more difficult it is to keep track of what is happening. For two out of five companies (41%), this is the biggest problem when dealing with complex attacks.
In fact, for many companies such a complex environment becomes the number one reason for additional investments. A sophisticated attack often consists of a combination of legitimate-like and hard to detect tactics. Another problem is that a large number of alerts generated by various security solutions makes it difficult for analysts to prioritize incidents and see the correlations between an adversary's actions. There is a need for automated detection and response that can simultaneously not only detect multiple minor signs of attack, but also correlate them with each other and external threat data. That will ensure an efficient alert triage and reveal the real advanced attack for further escalation to incident response teams.
5. The need for expertise drives outsourcing and changes in budgeting
While the need for a skilled workforce and expertise is nothing new, this year we saw it become a major motivator for the first time to outsource cybersecurity. With rapid adoption of new technologies and change in work patterns, combined with the exponential growth of IT complexity, mid-sized (52%) and large enterprises (56%) that trust security management to an MSP does so because they need highly skilled professionals.
When switching to outsourced companies, businesses may need to adjust their budget process accordingly. It is likely that part of the budget will move from CapEx to OpEx expenditures, and hardware investments that were made every few years will instead turn into a monthly-paid subscription.
Not knowing what challenges next year will bring, coupled with a natural human desire to play it safe, leaves a tremendous opportunity for change and to make bold decisions, particularly when it comes to budgeting. The approach of "making it similar to last year" won't work anymore. Instead, risk evaluation and modeling should be done based on the most recent trends, changes happening in the corporate infrastructure and business processes and most importantly, business needs. In order to go the extra mile to keep systems secure, a new approach is needed when protection is considered from the very beginning of the development. This "secure by design" approach will help businesses achieve a higher level of cyber immunity from potential risks.