Companies are more likely to spend money on cyber protection and increased training rather than improvements to response and recovery, a new study found.
Roughly half of enterprise budgets are directed at threat detection and prevention while 30% is allocated to response and recovery, the Information Services Group found in a survey of some 200 global IT and industry executives.
Security Budgets Increase
The average security budget increased nearly 5% in 2023 over 2022, as security priorities increased, the study reported. While other department budgets are decreasing by approximately 7% year-over-year, annual security budgets are increasing at 4-5% annually. Typical security budgets are around 0.8% of overall organizational revenue, rising to 1% of revenue for organizations with 100,000 or more employees, the data showed.
Doug Saylors, partner and co-leader of ISG Cybersecurity, explained how cybersecurity programs must “strike a balance” between protection and resiliency:
“Virtually every enterprise – large and small – experiences regular cyberattacks. Interestingly, respondents were more likely to blame prevention and detection measures – the areas that garner the highest percentage of investment – for allowing cyber incidents to occur, rather than human error or technology.
"While the protection of data and detection of attacks are critical, it is equally important to have tested and proven incident response and recovery plans in place to help restore operations quickly. Companies can take days or even weeks to recover from an attack. With attacks a near certainty, enterprises need to focus on what to do when – not if – an attack succeeds.”
Cyberattacks Rise, Phishing Most Common Type
Here are some of the study’s key findings:
- 95% of respondents reported multiple cyberattacks and incidents in their organization over the previous 12 months.
- The most common incidents were phishing, which was cited by 74% of respondents, malware (60% and software vulnerabilities, which affected 50% of survey participants.
- The study also found phishing, ransomware and third-party vulnerabilities were the most challenging attacks for responding enterprises to remediate.
- 56% of respondents identified artificial intelligence and machine learning as the top security risks that organizations expect over the next two years.
- The perceived risk from AI and machine learning is strong in banking and financial services, where nearly 80% of participants highlighted emerging technology as a top-three challenge.
- Ransomware (46%) and cloud-based threats (45%) remain an important focus for security decision makers in all industries.