All businesses should devote money and resources to cybersecurity, in order to protect their operations and ensure a profitable future. But how much should they actually spend?
Most organizations spend too much or less on cybersecurity solutions, according to a new analyst report from Nucleus Research. The report offers a formula that businesses can use to determine exactly how much money they should spend on cybersecurity.
Nucleus says companies shouldn’t spend money on cybersecurity “based on fear or perceived threats.” Instead, they should consider their value, the value of the usefulness of cybersecurity, the risk of a cyber attack, and the potential cost of the breach.
“Even if an organization has a high risk of a cyber attack, it is not effective to invest in cybersecurity more than what the organization is worth,” the report explains. “By viewing cybersecurity investments as an insurance issue, organizations can justify the optimal amount to spend.
So, for an organization worth $ 20 million, which is at risk of losing $ 2 million in a data breach and has a 50% chance of being breached, no more than $ 1 million should be spent on cybersecurity, the report says. This figure includes IT staff time, software subscriptions, software maintenance and lost productivity.
“Considering a triple revenue model, the organization should not spend more than 15% of its revenue,” the report concludes.