According to the new Kaspersky report ‘Investment adjustment: Aligning IT budgets with changing security priorities’, cybersecurity remains a priority for investment among businesses. Its share of IT spending has grown from 23% in 2019 to 26% in 2020 for SMBs, and from 26% to 29% for enterprises. 71% of organisations also expect their cybersecurity budget to grow further in the next three years. This is despite overall IT budgets decreasing in both segments amid the COVID-19 pandemic, and cybersecurity cuts affecting the most economically hit SMEs.
External conditions and events can influence IT priorities for businesses. As a result of the COVID-19 lockdown, organisations have had to adjust plans to meet changing business needs – from emergency digitalisation to cost optimisation. The Kaspersky report, based on a survey of more than 5,000 IT and cybersecurity practitioners, observes recent IT security economics trends and how they correlate with this year’s events.
The Kaspersky Global Corporate IT Security Risks Survey (ITSRS) interviewed 5,266 respondents across 31 countries. Conducted by B2B International and commissioned by Kaspersky, fieldwork took place in July 2020.
The share of IT budget dedicated to IT security continues to grow year-on-year, even though the overall IT budget has fallen from $1.2 million in 2019 to $1.1 million in 2020 among SMEs, and from $74.1 million to $54.3 million for enterprises. This decrease may be due to the consequences of the global coronavirus pandemic, according to Gartner, whose experts also predicted that budgets would decrease earlier this year.
As a result, in monetary terms, small and medium businesses allocated $275,000 to cybersecurity while enterprises invested $14 million. The majority of companies are expecting these figures to grow in the next three years by 11% in enterprises and 12% in SMEs, on average. 17% believe it will remain at least the same as this year.
IT security budget as a share of overall IT budget
However, one-in-ten (10%) organisations said they are going to spend less on IT security. Interestingly, the main reason for this across enterprises is the deliberate decision of top management, who sees no point in investing so much money in cybersecurity in the future (32%).
Among SMBs, the reason to reduce spend in this area is primarily dictated by the need to cut overall company expenses and optimise budgets (29%). Small and medium organisations were hit hardest by the lockdown: more than half of small companies globally reported a decline in sales or experienced cash flow constraints. It is clear that those affected have needed to optimise their expenses to survive. But while this impacts cyber-protection, it’s important for businesses to find a way to keep safe from cyber-risks in such a challenging time.
“2020 has put many companies in situations where they needed to respond, so they wisely concentrated all their resources and efforts on staying afloat. Even though budgets get revised, it doesn’t mean cybersecurity needs to go down on the priority list. We recommend that businesses, who have to spend less on cybersecurity in the coming years, get smart about it and use every available option to bolster their defenses – by turning to free security solutions available on the market and introducing security awareness programs across the organisation. Those are small steps that can make a difference, especially for SMBs,” commented Alexander Moiseev, Chief Business Officer at Kaspersky.
Kaspersky suggests small and medium organisations take the following advice, to maintain their cybersecurity posture even with low security investments:
- Always keep your team aware of IT security risks such as phishing, web threats, banking malware and others that can target employees in their daily working routine. There are dedicated training courses which teach security practices, such as the ones provided in the Kaspersky Automated Security Awareness Platform. Use formats that help employees remember the cybersecurity rules, such as posters or cards in the workspace.
- Ensure timely updates of all systems, software and devices. This will help you to avoid situations where malware infiltrates a corporate system through, for example, an unpatched operating system.
- Establish the practice of using strong passwords to access corporate services. Use multi-factor authentication for access to remote services.
- Make sure all corporate devices are protected with strong passwords which are changed regularly.
- Use proven cloud services and platforms when transferring business data. Make sure you protect all your shared files with passwords, for example in Google Docs, or make them available to a limited circle within a working group.
- Use a free endpoint security tool, such as Kaspersky Anti-Ransomware Tool for Business, which provides protection for both PCs and servers from a wide range of threats including ransomware, cryptominers, adware, pornware, exploits and more.
- There are also some useful tools that could help ad-hoc cybersecurity needs, such as checking suspicious files, IP addresses, domains and URLs. This can be done for free on the Kaspersky Threat Intelligence Portal.