Despite the growing visibility of major computer and network security breaches and the staggering amount of data that has been compromised, a surprising number of companies both large and small grossly underestimate the cost of keeping their networks, computer systems, and databases secure. Recent studies suggest that these costs are set to rise dramatically in the next couple of years, mainly because both the malware involved and the tricks hackers use to gain access are becoming more sophisticated, more complex, and more damaging.

Businesses try to rationalize under-budgeting for cybersecurity in many ways:

• “We can’t afford a large budget for cybersecurity right now.”
• “Our business is too small to be a target.”
• “We don’t have any data worth stealing.”
• “Our employees aren’t foolish enough to respond to phishing attacks.”

Every one of these excuses is false, as all too many businesses find out the hard way.

The Growing Costs of Cybersecurity

Consider the following sobering statistics, from a survey by information security firm Malwarebytes :

• Larger U.S. companies (2,500 employees and up) are expected to spend $2 million on cybersecurity in 2018, up from $1.8 million in 2017.
• Cybersecurity budgets for mid-sized businesses (500–1000 employees) will increase even more in percentage terms: 36%, which is much higher than most companies’ expected revenue growth.
• Costs of remediation are on the rise as well. Remediating a single incident costs larger companies over $400,000 each on average.
• U.S. companies experienced an average of 1.8 serious cybersecurity incidents (including ransomware and insider breaches) in 2017.

Mid-sized companies in particular are getting squeezed: their expenses for cybersecurity are consuming larger portions of their budgets each year. Small companies are especially vulnerable—few of them have on-staff IT support to keep their systems secure, and one ransomware attack can effectively put them out of business.

The healthcare industry is a particularly ripe target, with both financial and health-related information becoming increasingly valuable for hackers. Everyone, from small, one-doctor offices to larger clinics, labs, pharmacies, hospitals, and insurance companies is vulnerable.

Steps to Take

It’s been said before, in this blog and elsewhere, but considering the number of businesses who seem not to have gotten the message, it bears repeating: Don’t shortchange your cybersecurity budget. It’s a classic case of “penny-wise and pound-foolish”—chances are good that the money you save by skimping on protection will be annihilated by a security breach.

Here are some steps you can take right now to keep yourself protected:

• Keep your software and operating systems up to date. This is the single most important thing you can do, and the easiest to procrastinate about. Discipline yourself and your team to observe a regular schedule for security updates.
• Have a professional security assessment performed on your IT systems, including workstations, servers, routers, and Wi-Fi access. Such an assessment will uncover your most serious security vulnerabilities and areas to focus on to bring your systems up to modern security standards.
• Educate your staff on how to recognize phishing and other types of attacks. As mentioned previously, these attacks are getting more sophisticated all the time, so every user needs to develop a “sixth sense” for detecting suspicious emails.
• Consider migrating business-critical systems to cloud-based environments. If your data storage and computing resources are in the cloud, and all you have in the office are relatively “dumb” computers, then ransomware and other types of malware are more easily remediated.

Above all, if you don’t have in-house expertise on cybersecurity, engage the services of a reputable IT service provider. Given the increasing sophistication of the bad guys, cybersecurity is no longer a “do-it-yourself” project. Doing it yourself may limit your expenses in the short term, but the costs of failure can be devastating. Bring in some outside expertise—the extra expense is well worth the reduced risk.