How to budget
for cyber security
costs—and why
it's crucial

Author: Adam Kimmel

The practice of protecting internet-connected networks, hardware and software from cyber threats is an essential part of running an information technology (IT) department. It is crucial to have a thorough cyber security plan in place to keep cyber criminals from gaining access to personal information, government systems, intellectual property and health information.

As with any other essential business function, creating a budget to cover your cyber security cost is critical. To deploy effective and budget-friendly solutions, you have to understand where to spend your resources. Here's what you need to know about developing a budget for cyber security—and why employing a managed security service is the safest and most cost-effective way to prepare for and respond to security concerns.

Identifying common cyber security threats

Verizon's 2020 Data Breach Investigations Report uncovered tens of thousands of security incidents, including 3,950 confirmed breaches (2.5%) across the industries studied.

Some of the common tactics of the breaches included hacking (45%), casual errors and social events (each 22%), malware (17%) and authorized user misuse (8%). The perpetrators in the breaches were external actors (70%) and organized criminal groups (55%), with 30% coming via internal actors.

The study uncovered several motivations that point to the risk of not identifying breaches as they arise: 86% were financially motivated, and 37% stole user credentials; 27% of malware were ransomware, and 22% involved phishing.

What do these patterns mean for your cyber security budget? One method of preventing these common threats is to educate users on the warning signs. Avoiding disclosing personal information, limiting clicking on links and training users on current data breach methods makes the entire company safer. When it comes to your budget for cyber security, investing in training programs and tools is the minimum requirement to ensure your staff is hearing a consistent message about data security best practices.

Guarding against uncommon threats

The following are less common (but increasingly prevalent) threats that have been introduced through smartphones.

Smishing and vishing

Smishing is an attempt to compel a user to divulge information through a text message. The attacker often uses urgent or confidential language to drive the user to click the link, enabling data to be stolen.

Like smishing, vishing is a tactic in which a cyber criminal provides instructions to a user through a voicemail to compel the victim to respond with sensitive information.

When building your cyber security budget, education is still a sound defense against these cyber attack methods. Beyond training, targeted investments can augment IT systems with safeguards against these forms of data breaches as well. Equipping company phones and devices with detection software can help users better recognize an attack when they receive contact.


Malware is the most dangerous type of cyber attack because it only requires an internet pathway. It spreads to other connected devices and siphons data back to the sender without the user knowing. Malware often takes the form of password dumpers and email links. Trojans, another form of malware, appear on a user's system disguised as a program they may already have, such as a spreadsheet program or PDF reader.

Investing in prevention for malware includes installing firewalls and security updates to block malicious software from attacking and harvesting your data. The more advanced the data breach method, the more sophisticated the prevention solution needs to be.

Measuring the value of your cyber security investment

Creating a budget for cyber security is a must in today's data-rich environment. So is measuring the value of your investments on an ongoing basis.

Tracking the number of incidents against the number of confirmed breaches is one method. Identifying key performance indicators (KPIs) to define success is another. Making a change, testing and measuring the result is the engineering approach to quantifying success. Examples of cyber security investment KPIs might include:

  • Number of resistance actions taken by a firewall.
  • Percentage of incidents that did not result in a confirmed breach.
  • Rate of accurate, user-initiated categorizations of phishing attempts.

Once you generate a baseline of the initial state, you can track your security measures' effectiveness. Comparing the amount of improvement to the baseline and factoring in the cost per breach helps quantify the return on your security investment. Engaging a managed partner can allow you to optimize the tools you use more quickly than conducting trials on your own. You also benefit from leveraging the industry expertise your partner brings to the endeavor.

Defining a cyber security budget is the first step to protecting your organization from cyber attacks. An experienced partner can address the specific security needs you have and propose a custom solution for your unique application. They are aware of state-of-the-art prevention techniques and can arm your IT department with the right tools to prevent cyber attacks. A managed partner with the expertise to create a customized plan offers the best return for the time and funds you invest.

Learn how Verizon's enterprise cyber security solutions can help keep your business safe.