Report: Measuring the Financial Impact of IT Security on Businesses

This report is dedicated to the financial side of cybersecurity: how much businesses spend to protect themselves and to recover from a cybersecurity incident.

Executive Summary*


In 2016 Kaspersky Lab together with B2B International conducted a global study of more than 4,000 business representatives from 25 countries, looking at their IT security budgets, the complexity of their infrastructure, attitudes towards security threats and solutions, and the real cost of data breaches and security incidents experienced. This report is dedicated to the financial side of cybersecurity: how much businesses spend to protect themselves and to recover from a cybersecurity incident.

Click here to download the regional version of the report with selected statistics for the United States. The report is available free of charge after registration.

Main findings
IT Security budgets are set to grow 14% on average over the next three years

All businesses cite IT infrastructure complexity as a key reason to invest in security: 48% of enterprises and 42% of SMBs.

Average annual spending on security varies from $1000 for very small businesses to $1M+ for large companies.

% of Businesses Whose IT Security Budget Falls Into Each Category

The average cost of recovery from a single security incident is estimated to be $86.5K for small and medium businesses and $861k for enterprises.

The most ‘expensive’ attack types are security breaches using zero-day vulnerabilities and targeted attacks. SMBs suffer a lot from exploitation of mobile devices, while enterprises report the high impact of hacktivist activities.

Investigating reasons behind security spending
There is no denying that IT security is becoming a key priority for businesses, as the reliance on and complex nature of technology continues to grow. Indeed, for enterprises, the increased complexity of IT infrastructure was the number one driver for wanting to increase IT security spend (48%). 42% of SMBs agreed, with only a quarter (24%) of VSBs seeing complexity as the main reason for increasing budgets, citing new business activities/expansion as the top reason (35%).

Despite finding it difficult to demonstrate the ROI of investments in IT security to senior management, businesses of all sizes agree that they will continue to invest in improving IT security regardless of ROI, as it is better to be safe than sorry.

In monetary terms, two-thirds (66%) of VSBs spend less than $1,000 a year on IT security compared to 68% of enterprises which spend over $1 million.

Incident experience

Over the past 12 months alone, over a third of businesses (38%) have been affected by viruses and malware causing a loss of productivity, and experienced inappropriate IT resource use by employees (36%). One in five (21%) has experienced data loss or exposure due to targeted attacks.

Types of security event experienced in the past 12 months (% of all businesses experiencing each type of attack)



For all of the incidents experienced by businesses, almost half (43%) resulted in a data breach, loss or exposure of some kind. Putting this into context, the average financial impact of a single data breach and attack vector for an SMB is an estimated $86.5k and for enterprises a staggering $861k. The reallocation of IT staff time represents the single largest additional cost for both SMBs and enterprises within this estimate.

Estimating the average financial impact of a data breach
We asked businesses to divide their recovery cost into several categories, in order to better estimate the overall impact of a security breach, which almost always goes beyond the need to hire additional IT resource. The typical loss for SMBs and enterprises consists of the following expenses:



But this is just the average across a range of attack vectors, with some types of attacks costing a business more. Previously unknown “zero” day vulnerabilities – whilst rare – have cost SMBs an estimated $149k and enterprises $2m, with targeted attacks resulting in a financial impact of $143k and $1.7m respectively.

Fast action from the IT Security department saves money

In all cases, the financial impact has been seen to increase with time, with the rapid detection of a data breach a key factor in minimizing not only data loss but the financial cost to the business. The longer a breach goes unnoticed, the more it will cost a business in monetary and data integrity terms. Even when breaches are detected almost instantly, SMBs estimate a cost to their business of $28k, rising to $105k if undetected for more than a week. For enterprises, where a detection system is in place, the estimated financial damage is still $393k, increasing to over $1m if it remains undetected for over seven days.

Cost of recovery vs. time needed to discover a security breach, for SMBs Cost of recovery vs. time needed to discover a security breach for enterprises

With businesses aware of network vulnerabilities and expecting them to be exploited, the prevalence and success of cyber-attacks against businesses is only going to rise. But with IT security budgets only set for a modest increase over the next few years, the financial impact could become even more severe.


Whilst cyber-attacks are inevitable, the way businesses use available budgets and resource will be vital in the coming years in keeping the financial (and reputational) impact down. Whilst losses will occur as a result, the key is to minimize them. This is our aim and on average, Kaspersky Lab customers who do suffer a breach experience much less severe financial consequences than the customers of our competitors – 30% less for SMBs and 18% less for enterprise customers.

To learn more about Kaspersky Lab’s solutions for small and medium businesses, visit Kaspersky Lab’s website.

The financial impact can only be curbed by taking a holistic approach to IT security instead of relying just on detection technology to do the job. It is encouraging to see that 45% of companies believe that hardware and software alone won’t necessarily solve all IT security incidents. But although this is the case, it is not necessarily backed up by the right resources to provide total protection – with 73% still believing that workstation security software alone is effective.

Check out the most recent Kaspersky Lab’s solutions for enterprises, expanding support for security departments beyond prevention.

Alongside prevention technology, clued up and vigilant staff who are informed and aware of the risks facing businesses today and tomorrow will help improve detection and minimize impact. However, when assessing where security budgets are to be spent, there is a general reluctance on the part of businesses to accept outside help – with only 18% of organizations considering better insights and intelligence on threats as a top method to improve detection.

Learn more about Kaspersky Lab’s Security Intelligence Services.

Despite this feeling, without the benefit of insight and intelligence, organizations will remain unable to improve detection and combat the growing number and severity of cyber threats. Only by moving beyond prevention towards recovery and mitigation will organizations be able to reduce their exposure to risk and the inevitable financial consequences of a cyber-attack.

Register here to download the regional version of the report with selected statistics for the United States. The report is available free of charge after registration.

* IT Security Risks Special Report Series 2016

System Watcher gets smarter

Security solutions must be able to perform two big functions: prevention and, if necessary, remediation. Kaspersky Lab’s latest patent is a technology that makes both more effective. The most common