Skip to main content

Many businesses are over- and under-spending on security

(Image credit: Shutterstock / NicoElNino)

All businesses should spend money and resources on cybersecurity, to protect their operations and ensure a profitable future. But how much should they actually spend?

According to a new report from analysts at Nucleus Research, most organizations either overspend or underspend on cybersecurity solutions. The report proposes a formula businesses can use to determine exactly how much money they should be spending on cybersecurity.

Nucleus states that businesses should not spend money on cybersecurity “based on fear or perceived threats”. Instead, they should consider their worth, the worth of the utility of cybersecurity, the chance of a cyberattack, and the potential cost of the breach.

“Even if an organization has a high risk for a cyber-attack, it isn’t efficient to invest in cybersecurity more than what the organization is worth," the report explains. “By considering investments in cybersecurity as an insurance problem, organizations can justify the optimal amount to spend.”

So for an organization worth $20 million, which risks losing $2 million in a data breach and has a 50 percent chance of being breached, no more than a $1 million should be spent on cybersecurity, the report states. This figure includes IT personnel time, software subscriptions, software maintenance, and loss in productivity.

“Considering a three times revenue model, the organization should not spend more than 15 percent of its revenue,” the report concludes.