Supply chain attacks cost businesses more

Cyberattacks do not only cause operational damage to computer systems: when they occur, all or part of the company’s activity is affected, resulting in a shortfall and sometimes substantial financial losses. In its latest IT security economics 2021 study, Kaspersky looked at the cost of data breaches and cyberattacks for businesses, especially smaller ones. More than 4,300 people were interviewed in SMEs and medium-sized companies (from 50 to 999 employees) and larger companies (+1,000 employees) in 31 countries between May and June.

“This year, cybersecurity risks continued to be a big concern for businesses and small businesses, with new threats emerging during the pandemic and the extended remote work period it has instituted,” Kaspersky said in a statement. introduction to his report. While it had fallen in 2020, the average financial cost of data theft for SMEs/medium-sized businesses thus rose to 105,000 dollars this year against 101,000 the previous year. However, the levels of 2019 ($108,000) and especially 2018 ($120,000) have not been reached.

$2M in financial impact for supply chain attacks in the largest companies

Conversely, for the largest companies, this cost has been falling steadily since 2019 ($1.41 million) to reach $927,000 this year, its lowest level since 2017. “One of the main reasons why perhaps we are seeing this decline in the impact of a data breach in businesses could be due to improvements in detecting attacks, thus minimizing the impact of an incident. “However, our research also found that businesses were less likely to report data breaches this year, with 34% managing to avoid doing so, compared to just 28% in 2020.”

When it comes to data breaches, in 2021, incidents affecting a third-party vendor with whom data is shared reached $1.4 million on average for the largest companies. This is the largest amount, ahead of cryptomining attacks ($1.3 million) for example. Regarding SMEs, attacks on point-of-sale systems had the highest cost on average for the company ($139,000). All cybersecurity incidents combined (not just data theft), supply chain attacks are the most costly on average for the largest companies ($2 million), while for SMEs-SMIs they are those affecting a third-party supplier with whom data is shared ($212,000). Across all company sizes, supply chain and shared data attacks are in the top three costliest incidents.

Downward trend for cybersecurity budget

Given a context of growing cyber threats, one would have thought that this situation plays in favor of the budgets allocated to IT security. This is not the case. Worse still: in 2021, the Kaspersky study shows that average IT budgets are down both for SMEs-SMIs ($1 M versus $1.1 M in 2020) and the largest companies ($42.9 M versus $54.3 million). The cybersecurity budget also follows this downward trend, both for the largest groups ($11.4 M against $14 M) and the smallest ($267,000 against $275,000). Overall, the share of the IT budget devoted to cybersecurity fell from 29% to 28% among large groups and stagnated among SMEs and medium-sized enterprises (26%).

“While this decrease in IT budgets is temporary, many companies have gone through a difficult cost-cutting model in 2021,” says Kaspersky. Among the factors highlighted: the lack of reason for top management to invest so much in cybersecurity (30%), feeling sufficiently equipped with security solutions (28%), the need to reallocate the IT budget to other business needs (28%) or outsourcing of certain IT security functions to reduce costs (25%). “I have no doubt that budgets will recover and even increase, but this will happen in a new environment of IT systems and more reliance on the as a service and cloud model,” said Veniamin Levtsov, vice president of the center of expertise. for Enterprise at Kaspersky.