Many companies are not spending enough cash on cybersecurity, despite instances of cyberattacks continuing to escalate, according to a major law firm.
In 2018, barely a day goes by without a new cyberattack making headlines: just this week, a website blamed for launching more than four million cyberattacks around the world – including attempts to crash UK banks – was taken down as part of a major international investigation.
But many business leaders are still failing to put enough resources behind their cyber defences, finds Fox Rothschild.
“Our study indicates that [business leaders] are not allocating enough, and that the people in charge of it want more,” Mark McCreary, chief privacy officer at the firm and co-chair of its Privacy and Data Security Practice, told Insurance Business.
Despite many senior executives now ranking cybersecurity as one of their top concerns, persuading them to spend money can still be difficult to do, McCreary explained.
“It’s a tough sell – a lot of companies, in my experience, feel they are throwing money at a ghost… they don’t understand the fact that it’s always ongoing,” he said. “You’re always getting better products, you’re always upgrading, there’s always new approaches to deal with new attacks.”
While Fox Rothschild’s latest survey found that 70% of respondents carried cyber liability insurance, in a previous survey conducted late last year more than half of executives admitted their cybersecurity and data privacy budgets were “insufficient” to respond to a breach. An additional third admitted to not training all their employees on data breach prevention, a basic component of defence against cyber breaches.
“Until they have a true data breach, until they see how easy it is, and until they have it in their brain that no matter what you do, if there is a determined person you are still not 100% protected, they don’t really understand that money has to be spent,” McCreary said.
The lawyer said that while there is “no right answer” on exactly how much companies should be spending on cybersecurity, a good guide level is around 20% of a firm’s IT budget.
He added: “We learned that it’s the people who have had a data breach that understand that you have to have a large portion of your IT budget dedicated to security.”