Cyber risk is casting an increasingly large shadow over businesses today. A report from the DCMS found that 46 percent of UK businesses reported suffering a breach or attack in the last 12 months, and it seems hardly a week goes by without news of another major security breach.

With attack and breach figures climbing, it may seem like enterprises are doing little to combat the threat, but average spending on cyber security has actually seen a dramatic rise in recent times.

The Hiscox Cyber Readiness Report 2020 released earlier this year found that cyber spending has risen by an average of 39 percent globally year-on-year, with the average annual budget being $2.1m. UK businesses are actually somewhat behind the global average, with annual spending standing at $1.5m. However, UK firms have undergone one of the sharpest increases in spending, rising from $0.9m in 2019.

Much of the growth in cyber spending is down to an overall increase in IT budgets as businesses place more focus on the digital transformation activity that is essential to staying competitive and profitable. The demand for restructuring businesses for remote working in early 2020 has also placed even more urgency on investing in IT. Nevertheless, security spending as a proportion of overall IT budgets has also increased significantly to 12.9 percent.

Looking beyond the price tag

However, the last few years have also made it readily apparent that cyber security is not an issue that can be solved simply by throwing money at it. The investment must be flowing to the right places for it to really make a difference.

We constantly encounter businesses that have invested a considerable amount of their budget into high-end security solutions, but still don’t feel confident in their overall security. The problem is that even if you have 10 high-end tools doing their jobs on an individual basis, there are still likely to be gaps unless you take a step back and look at the big picture.

Unfortunately, many companies overlook investing in this crucial capability. The DCMS report found that only 36 percent of UK companies conducted planned internal audits or health checks, and most of the companies we encounter have little idea of their security priorities or risk levels.

Unlocking the value of security investments

Without this kind of strategic overview, a company will always suffer from serious security gaps, no matter how many expensive solutions it has purchased. At the same time, we find companies often have suites of tools that have powerful capabilities going unused, or that they have purchased solutions that solve problems a business with their risk profile is unlikely to encounter.

To unlock the true value of existing IT investments and ensure that future purchases will genuinely improve the company’s security posture, organisations need to first achieve a clear strategic view of their current risks and priorities.