Critical infrastructure sees most cyber incidents due to lack of budget

Kaspersky conducted a study[1] to discover the opinions of IT Security professionals working for SMEs and enterprises worldwide regarding the human impact on the cybersecurity in a company. The research – aimed at gathering information on various groups of people who influence cybersecurity – considered both internal staff, and external contractors. It also analyzed the impact decision makers have on cybersecurity in terms of budget allocation. 

Insufficient distribution of budget for cybersecurity led 15% of companies worldwide to endure cyber incidents in the last two years. The situation is different for every industry. For example, critical infrastructure, energy and oil&gas organizations suffered the greatest number of cyber breaches because of the lack of budget (25%). Meanwhile, some industries showed a smaller number of cyber incidents than the global figure (15%). The telecommunications sector suffered 13% of cyber incidents due to budget constraints, while transport & logistics, and financial services companies each saw 8% of them. 

When asked about the budget for cybersecurity measures, 78% of respondents globally said they are equipped to keep up with or even stay ahead of new threats. However, 21% of companies are not doing so well – 18% report that they don’t have sufficient funds to protect the company’s infrastructure properly. At the same time, there are still companies without cost allocations for cybersecurity at all – 3% claimed they don’t have a dedicated budget for cyber protection needs. The most successful industry in terms of proper monetary distribution for cybersecurity are financial services – 90% of respondents working in this sphere claim their organizations are set to keep up with and stay ahead of all new threats. 

Would you say the budget for cybersecurity measures in your company ....?

Many respondents' companies are eager to take steps to strengthen their cybersecurity in the next 1-1.5 years. One of the most popular areas of investment is threat detection software (40%), and trainings, where 39% of companies plan to allocate budgets for educational programs for cybersecurity professionals and 38% for training general staff. Other popular measures organizations plan to take soon are introducing endpoint protection software (36%), hiring additional IT professionals (35%) and adopting SaaS cloud solutions (34%). 

“Today, companies must align cybersecurity investment with a business strategy and consider cybersecurity as one of their business goals. Of course, investments must justify themselves and be effective, so the information security department also faces the task of increasing the ROI of investments in information security and defending investments to senior management or the board of directors. Also, in addition to reducing MTTD and MTTR, information security is tasked with reducing the cost of a security incident. These challenges can be met through the use of various modern approaches and technologies. For example, we are investing in developing our SASE portfolio as well as XDR and MDR with integrated AI, Machine Learning, automated detection and response, automated threat investigation, out of the box integrations and much more. To ensure process transparency and prove the value of our solutions, we also provide C-level dashboards and reports for CISOs, which include information on how many incidents we prevented, how quickly incidents were investigated, and the effectiveness of deployed cybersecurity solutions. We also highlight customer-specific risks, and show them trends particular to the industry to help them shape their cybersecurity by targeting their defenses around current dangers, and justify investments in the necessary technology.” comments Ivan Vassunov, VP, Corporate Products at Kaspersky. 

The full report and more insights on the human impact on cybersecurity in business are available via the link. 

To get the most out of your budget, Kaspersky recommends:

• Implementing cybersecurity products with Advanced Anomaly Control such as Kaspersky Endpoint Detection and Response Optimum. This helps prevent potentially dangerous ‘out of the norm’ activities initiated both by a user or by an attacker who has already taken control over the system. 
• Using easily-manageable solutions. Kaspersky Endpoint Security Cloud is designed for smaller enterprises or companies that don’t currently have the budget for a wide stack of cybersecurity products. The all-in-one hosted SaaS console allows just a single administrator to manage a broad range of cybersecurity tasks from one place, with a simple and easy-to-master workflow.
• Investing in training for everyone in your company – from general staff to decision makers. Kaspersky Automated Security Awareness Platform training teaches employees safe internet behavior and includes simulated phishing attack exercises. At the same time, Kaspersky Cybersecurity for IT Online training helps build up simple yet effective IT security best practices and simple incident response scenarios for generalist IT admins, while Kaspersky Expert Training equips your security team with the latest knowledge and skills in threat management and mitigation to defend your organization against even the most sophisticated attacks. And last but not the least, to advance decision-makers’ understanding of the importance of cybersecurity and how best to distribute budgets to stay ahead of threats, engage them with Kaspersky Interactive Protection Simulation for enhanced C-level professional education.
• Considering experts’ help. For example, Kaspersky Assessments family of professional services identifies security gaps in your system’s configuration, and the Security Architecture Design helps create an IT security infrastructure that’s a perfect fit for a particular company. Every step of implementation is grounded in real security needs, giving decision-makers convincing arguments to allocate budgets.
• Referring to Kaspersky's 'Cybersecurity on a budget' resource for small and medium businesses for tips on how to spend less on IT without compromising on security.