Around the world, cybersecurity professionals are seeing yet another sharp rise in cyberattacks, but what’s even more stunning than seeing an 84% year-over-year increase in ransomware detonations and a 33% increase in Phishing attacks (Source Flashpoint), is how much these attacks are costing the global economy.
In a study conducted by the International Monetary Fund (IMF), cyberattacks and data breaches have cost organizations an estimated total of $10.5 trillion. In 2025 alone, the average cost to recover from a singular breach in the US came in at a whopping $10.22 million.
With the cost to recover from breaches getting steeper every year, the question of financing security operations is climbing to the top of budgetary concerns.
In a study conducted by EY, cybersecurity contributes roughly $36 million in value for each enterprise-wide initiative it’s involved in. Yet in that same study, researchers found that as a percentage of annual company revenue, Cybersecurity budgets have declined from 1.1% to 0.6% over the last two years.
So how do we take into consideration the security needs of an organization while operating within budget? How do we strike the balance between fiscally keen and optimally secure?
Below are our top five recommendations an organization should consider when evaluating the finances of cybersecurity.
- Know your systems.
Before making any decisions on what tools and services to purchase for your organization, first, think about what your organization’s environment actually looks like. Are you running a Microsoft shop or are you Apple to the core? Do you have a prominent web presence or sit behind the scenes? Understanding what your environment runs on, informs your understanding of what your environment needs from a security perspective, and careful selection of the tools and services you utilize can wind up saving you time, money, and a more than a little energy. So, prior to purchase, conduct an assessment to determine what is your organization running and what do those systems need to be secure. Then consider what are the tools that best support your business operations.
- Invest in good training.
A well-known fact in the security field: People are the number one cause of security incidents, and despite the best intentions, very few tools can properly achieve what good cyber-awareness training can. Engaging your staff in security training is the strongest way to prevent them from falling prey to threats like social engineering and phishing, and the tools utilized to conduct this training should be evaluated accordingly. Consider how engaging the training is and whether or not it comprehensively covers the various threats faced by your specific organization; consider whether or not the people and processes you have in place to respond to an incident are prepared in that eventuality; and consider testing to determine if all that training is working.
- An ounce of prevention…
Arguably, the most cost effective way to recover from a breach—is it to not have one in the first place. An intelligently applied and comprehensive set of defensive tools can become a company’s greatest ally in minimizing overall security costs. Tools like a well-configured firewall, Data Loss Prevention (DLP), and Endpoint Detection and Response (EDR) not only provide a defensive barrier to protect a network from intrusion, but limit the scope of an intrusion should one occur. This gives a company a greater chance at protecting their assets both (intellectual and technical) from theft or exploitation. So, while no system is 100% guaranteed threat proof, the stronger your proactive, preventative measures are, the less likely you are to see an irrecoverable incident.
- When in doubt…
In a world with insurance for homes, health, vehicles, and even pets—why shouldn’t you consider if cyber-insurance is the right decision for you? Striking the balance between security controls and operational impact can, at times, feel like a zero sum game where the risk is always remains in the forefront. When evaluating the threats your company may face, and the resulting damages of a possible breach, consider if it’s worth investing in a policy that will protect your organization if the worst should happen. In a 2022 article, The Register found that only 55% of businesses currently have any cyber insurance coverage, but in a world where the average cost to recover from an incident is often seven figures, you may want to ask yourself if that risk is worth taking.
- Finally, Choose quality.
In this case the phrase “Buy Cheap, Buy Twice”, holds more than its fair share of water. When looking to invest in cybersecurity tools and services, the cheapest option could wind up costing you more in the long run. When evaluating contract bids, consider what a company is really offering you. Take the time to thoroughly evaluate the products or services being provided to you, and what the costs would be if expectations failed to meet reality. Conduct due diligence of your third parties, evaluate the years and level of expertise of the people who will be working with you, ensure that their security practices meet or exceed your standards, and look to the level of communication they offer when it comes to addressing their security policies. In the end, a strong security partner can make all the difference.
