The cyber budgets of UK enterprises actually shrank (-1%) during the pandemic, according to their cyber budget holders. This left cyber spend stagnating at an average of around £18 million ($24.9 million) for the 2021 financial year. This is despite the fact that 79% reported having suffered a major cyber incident. Of this group, the majority (73%) had experienced an incident in the past three years.
Over half (54%) of organisations either ‘hit pause’ or decreased their cyber budgets during the pandemic. Now, IT leaders expect to increase their cyber budget by an average of 7.4% in the next twelve months, taking the average budget to £19.4 million. But taking into account inflation, which is currently 3%, this still may not be enough to make up for lost time during the pandemic. If this trend continues, a cyber spending ‘deficit’ will emerge that makes businesses more vulnerable to cyber incidents, as attacks become more frequent and more sophisticated.
The problem is compounded by a lack of confidence among decision makers in how they spend their cyber budgets:
• 40% said their organisation needed a better understanding of how to prioritise areas for cyber investment.
• Half (50%) reported they had a cyber strategy but had not been able to fully implement it – meaning that cyber investments are not realising their full potential.
“Businesses need to act now to lock in their cyber spending for next year,” said Jamie Smith, Head of Cyber Security at S-RM. “The readiness with which we saw businesses pull back their budgets during the pandemic is concerning. Next year’s cyber budgets cannot be futureproofed against all forms of disruption, but there are trends business leaders should watch closely. A major one is the rising cost of cyber insurance - premiums are going up. This is because cyberattacks are becoming more frequent. What’s more, insurers are looking to reduce the risk they take on when they provide cyber policies. As a result, insurers want companies to prove how cyber resilient they are before providing cover.”
“UK cyber budgets shrunk at a time when the cost of cybercrime and frequency of attacks is increasing at an alarming rate. The average immediate damage of a cyber incident is in the region of £1.3 million. But the secondary costs like higher insurance premiums and recovery services can more than double this.”
“Businesses have been failing to keep pace, and if they don’t commit to strategic investment in their cyber security, they risk serious financial and reputational damage.”
The analysis, developed by S-RM, will guide UK organisations who are looking to utilise their cyber spend more effectively. It also found a clear correlation in the data which suggests that cyber confidence comes from the top. Businesses with boards who had a highly proactive approach to cyber security were more likely to say they are investing cyber budget in all the right places (73%) compared to those who do not experience proactive support from the top (44%).