top of page

How much should your Cyber Security Investment be?

Writer's picture: Mark WilliamsMark Williams
Hand holding Australian banknotes against gray background. Text reads "How much should your Cyber Security Investment be?"

In today’s digital landscape, cyber security is no longer just an IT issue; it's a critical business concern that impacts every aspect of an organisation. For businesses in Australia, where cyber threats are becoming more sophisticated and frequent, investing in robust cyber security measures is essential. But the pressing question for many organisations is: How much should you invest on cyber security? 


Understanding the Importance of Cyber Security Investment


Before diving into specific numbers, it's crucial to understand why cyber security is such a vital investment. In recent years, Australia has seen a significant increase in cyber attacks, with small to medium-sized enterprises (SMEs) being frequent targets. The consequences of a cyber breach can be devastating, these include:


  • Financial Losses: According to the Ponemon Institute’s 2023 Cost of Data Breach Study, the average cost of a data breach in Australia can be significant, particularly for SMEs, where costs can exceed AUD $2 million when considering remediation, fines, and loss of business.


  • Reputational Damage: The 2023 Deloitte Global Cyber Executive Briefing highlights that a cyber breach can severely damage a brand's reputation, leading to lost customers and reduced market share, as customers increasingly prioritise data privacy.


  • Regulatory Fines: Compliance with laws like the Privacy Act 1988, the Notifiable Data Breaches (NDB) scheme and other industry specific regulatory body requirements is essential. Non-compliance due to a breach can result in hefty fines, as reported by the Office of the Australian Information Commissioner (OAIC) in their regular updates on breach incidents.


Given these potential risks, cyber security should be viewed not as a cost, but as a strategic investment in protecting your organisation’s future. 


For more about the The true cost of a Cyber Security Incident for your business please read the article at this link.


People analyzing charts and graphs on paper and a tablet, using pencils. Bright post-it notes are visible, creating a collaborative mood.

Image by wayhomestudio on Freepik


Industry Benchmarks and Recommendations


Determining the right amount to spend on cyber security can be challenging, as it varies based on several factors such as industry, company size, and specific risk profiles. However, industry benchmarks provide a useful starting point:


  • General Industry Guidelines: According to the Gartner IT Key Metrics Data 2023, a widely accepted benchmark is that organisations should allocate between 3% to 10% of their IT budget to cyber security. However, this percentage can vary significantly depending on the nature of the business and its risk exposure.


  • Percentage of Turnover: When looking at turnover specifically, the IBM Cost of a Data Breach Report 2023 suggests that businesses spend between 0.2% to 0.9% of their annual turnover on cyber security. This range is broad, reflecting the varying levels of risk across industries. For example, a financial services company, which holds sensitive financial data, would likely be at the higher end of this spectrum, while a less data-intensive business might be at the lower end.


Factors Influencing Cyber Security Budget Allocation


While benchmarks are helpful, they are not a one-size-fits-all solution. Several factors should influence your organisation's cyber security budget:


  1. Industry Sector: Different industries have different levels of cyber risk. The Ponemon Institute’s studies show that sectors such as financial services, healthcare, and retail are often targeted due to the sensitive nature of the data they handle. These industries typically require a higher investment in cyber security.


  2. Size of the Organisation: Larger organisations with more complex IT infrastructures and more data to protect generally need to invest more in cyber security. However, SMEs should not underestimate the importance of cyber security, as they are often seen as easier targets by cyber criminals, as highlighted in the Ponemon Institute’s 2023 report.


  3. Regulatory Requirements: Australian businesses must comply with various regulations, such as the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, as detailed by the OAIC. Ensuring compliance may require additional investment in cyber security measures.


  4. Risk Tolerance: Organisations with a low tolerance for risk may choose to invest more in cyber security to protect against potential threats. This is especially true for companies that rely heavily on their digital operations, as emphasised by Deloitte’s 2023 briefing.


  5. Business Growth and Innovation: Companies experiencing rapid growth or those heavily investing in digital transformation should allocate more resources to cyber security. New digital initiatives often come with new vulnerabilities that need to be addressed.


  6. Historical Breaches: If your organisation has experienced a cyber breach in the past, this should be a key factor in determining your budget. Organisations that have been breached are often targeted again and should increase their cyber security investment accordingly, according to trends noted by the Ponemon Institute.


Hands holding a black calculator and pen over papers on a desk. A white cup is blurred in the background, suggesting a focused work setting.

Image by katemangostar on Freepik


Calculating the Optimal Spend


To determine your organisation’s optimal cyber security spend as a percentage of turnover, consider the following steps:


  1. Assess Your Current IT Budget: Start by identifying how much your organisation currently spends on IT. From there, determine what percentage is allocated to cyber security. Gartner’s IT Key Metrics Data 2023 provides useful benchmarks for this process.


  2. Evaluate Your Risk Profile: Conduct a thorough risk assessment to understand your organisation’s exposure to cyber threats. This can involve consulting with cyber security experts or using risk assessment tools. Your risk profile should guide whether you’re at the lower or higher end of the recommended spending range.


  3. Align with Business Objectives: Ensure that your cyber security spend is aligned with your overall business objectives. For example, if your organisation is focusing on expanding its online presence, additional investment in cyber security might be necessary to protect new digital assets.


  4. Benchmark Against Peers: Look at what similar organisations in your industry are spending on cyber security. The IBM Cost of a Data Breach Report 2023 provides industry-specific insights that can help in this benchmarking process.


  5. Plan for Growth: Cyber security is not a one-time investment; it needs to grow as your business grows. Plan for regular reviews of your cyber security budget to ensure it keeps pace with your organisation's needs.


The Cost of Underinvesting


Underinvesting in cyber security can be far more costly in the long run. The Ponemon Institute’s 2023 report highlights that the average cost of a data breach in Australia can be substantial. For SMEs, the impact can be devastating, with the total cost often exceeding AUD $2 million. For larger corporates these costs often exceed AUD $100 million.


Moreover, underinvestment can lead to inadequate cyber security measures, leaving your organisation vulnerable to attacks. This not only risks financial loss but also jeopardises your business’s reputation and customer trust, as noted by Deloitte.


Final Thoughts


Determining how much to spend on cyber security as a percentage of turnover is a critical decision that requires careful consideration of your organisation’s specific circumstances. While industry benchmarks suggest spending between 0.2% to 0.9% of turnover on cyber security, this should be adjusted based on factors such as industry risk, company size, and business growth.


Ultimately, the key is to view cyber security not as a discretionary expense, but as an essential investment in the longevity and success of your business. By allocating the appropriate resources to cyber security, you protect your organisation from potential threats, ensure compliance with regulatory requirements, and maintain the trust of your customers.


In an era where cyber threats are ever-present, making a well-informed decision about your cyber security budget is not just smart business—it’s a necessity.


If you would like to understand more about how a boutique Cyber Security firm can assist your business, please contact Mark Williams at Quigly Cyber on 1300 580 799 or team@quigly.com.au


Quigly Cyber ad with text: "For all your Cybersecurity resourcing needs contact the Quigly team today." Blue and orange colors, tech-themed.

bottom of page