888-448-5451 [email protected]

Under the microscope

cybersecurity costs

Uncovering the True Cost of Cybersecurity: How to Prepare for the Unexpected

Today we’re taking a closer look at cybersecurity costs, cyber attack costs, cyber threats, and how business executives can prioritize their budget to ensure their business is protected and that the gap for optimal security for different business sizes is closed.  The ability to prepare cyber security spending in a focused manner ensures that an effective security posture is accessible to small businesses and bigger businesses alike.

Small business cybersecurity is just as important as SME and big business risk management, if not more important, because there are many SMBs in operation. If attacked successfully in significant numbers, this would create a ripple effect on the economy and a good portion of people’s livelihood.

Let’s start with cyber attack costs and go from there.

Cyber Attack Costs

When we look at the 2015 Annual Cost of Cyber Crime Study conducted by Ponemon Institute reveals that cybercrime costs a small business an average of $210,000 and has been increasing for several years.

Next, we see what the cost is for businesses of different sizes in a study conducted by Accenture in 2019; we find that cybercrime costs are an average of $13.0 million (2018).  Furthermore, the business consequences are shown to be $4.0 million.

Furthermore, in a look at the average cost (per year) that a single company will lose as the result of a cyberattack from McAfee’s report in 2020, we find the following:

  • Small companies (1-49 employees) lost an average of $24,000 each in 2020.
  • Medium-sized companies (50-249 employees) lost an average of $50,000 each in 2020.
  • Large companies (250-999 employees) lost an average of $133,000 each in 2020.
  • Enterprise-level companies (1000+ employees) lost an average of $504,000 each in 2020.

And lastly, when we look at examples of companies that have had a cyber attack, we find their costs are as follows:

  • Solarwinds’ 2020 APT attack reported a loss of $25 million to its investors.
  • Amazon’s DDoS attack earlier this year, totaled a loss of around $75 million.
  • Brazil’s meatpacking company JBS’ ransomware attack in May, the ransom alone was $4.4 million.  Add to that the loss of revenue.
  • The Colonial Pipeline attack in May.  The ransom paid by the company was reported as $5 million.


Cybersecurity Costs 

When we move to cybersecurity costs, there are a couple of studies that we’re going to share data points from so that you can get an idea of ideal spending for cybersecurity from your IT budget.

The first report is one conducted by Deloitte that focused on financial institutions.  They find that the average company will spend between 6% and 14% of their annual IT budget on cybersecurity; and that on average most companies spend 10% of their IT budget.

Already thanks to this data point, you can take your IT budget and multiply it by 0.10 to figure out how much you will spend on cybersecurity yearly.

Some additional figures to keep in mind come from The Computer Economics IT Spending and Staffing Benchmarks 2019/2020 report.

The average company spends 3.2% of its total revenue on IT costs. This approximate figure holds true across industries of all kinds and companies of all sizes. Furthermore, a small company will generally have a budget of less than $5 million; a mid-size organization will typically spend between $5-20 million, and larger organizations will generally spend $20-50 million per year.

Therefore, we can calculate the average cybersecurity costs for these businesses (assuming they spend 10% of their IT budget).

  • Large businesses: Between $2 million and $5 million spent on cybersecurity per year
  • Mid-size businesses: Between $500,000 and $2 million spent on cybersecurity per year
  • Small businesses: $500,000 or less spent on cybersecurity per year

Although these numbers are not small, they are not as expensive as the cyber attack costs you saw listed above.

Also, remembering that cyber-attacks cause damage to your brand’s reputation and can cause companies to go out of business makes cybersecurity investment immeasurable.


Cybersecurity Prioritized Spending

Now that you have a clearer idea of cyber attacks and cybersecurity costs.  Let’s look at where you want to prioritize your cybersecurity spending.

  1. Yearly and, if possible quarterly cybersecurity assessments.
  2. Cybersecurity awareness training for the hybrid workforce.
  3. Business continuity and incident response plans.
  4. Risk management policies and procedures that include business associates and partners.
  5. Meeting your industry compliance requirements, CMMC and NIST 800-171 for DoDD contracts, and privacy regulations such as GDPR or CPRA (replaces CCPA and becomes ‘operational’ on January 1, 2023).
  6. Establish a cybersecurity framework to build your program around.


A closer look at cybersecurity costs compared to cyber attack costs makes it quite clear why business executives should want to invest in cybersecurity.

Not only does a company save on data breach costs, but the likelihood of growth is also achieved thanks to securing business operations and data.  Also, meeting compliance regulations such as CMMC and NIST 800-171 is achieved, which will ensure a company can do business with DoDD companies.

Give us a call if you need guidance on your cybersecurity spending for an effective posture that keeps your business protected and ahead of the game for potential business, thanks to meeting compliance regulations such as CMMC and NIST 800-171.

Click here to schedule your free 15-minute consultation.

Photo courtesy of ESB Professional