BIO-key Blog

Cyber Security Spend by Industry: How Companies Prioritize Budget

Written by BIO-key Team | Jan 26, 2023 4:27:00 PM

With cyber attacks reaching a record high in 2022, it’s time to ask if organizations should raise their cybersecurity budgets. Currently, small and medium-sized enterprises spend only 10% of their annual IT budget on cybersecurity companies for services and solutions 1. While there are, of course, other key budget considerations to take into account, this allocation does not match the rapid increase in cyber-attacks.  

With spending numbers like that, it raises the question, “are organizations spending their security budget properly?” Based on market surveys, most cybersecurity budgets are spent on data protection, governance compliance, and identity and access management, but is this effort enough – and is it the right allocation – to stop upcoming cyber attacks?    

It’s clear that there's an anticipated increase in cybersecurity spending in 2023 and the years to follow. In our 2023 Cybersecurity Predictions, we noted that there’s a growing in cyber attacks with a 15% increase from 2021 to 2022. In 2023, that’s expected to spike. More sophisticated cyber attacks driven by Artificial Intelligence or geo-phishing will push companies to spend more.  

However, differences across industries mean different approaches to cybersecurity. Each industry faces varying threats that target their critical data. Combine this with federal regulations and pressures from cyber insurance providers, and organizations may be overwhelmed with where and how to prioritize their cybersecurity resources.   

Industry-by-industry, we’ll examine their security spending, cybersecurity investment and security budget, and if that budget is being spent wisely. Read ahead to learn how your organization can defend against some of the top cyber threats – like a ransomware attack. 

 

Industry by Industry: Cybersecurity Threats and Solutions   

No matter the industry, small and medium sized enterprises (SMEs) are major targets for cyber-attacks. There is a misconception that large businesses are a large target, but the reality is that smaller organizations often do not have the proper security protocols in place leaving them more susceptible to attacks. Also, with the connected nature of the world we conduct business in, targeting a smaller organization can often allow hackers to infiltrate larger organizations, as we’ve seen in famous third-party risk cases such as the Target breach in 2013 

However, each industry does have specific needs to which they must adjust their cybersecurity strategy to bolster cyber resilience.  Here are the specifics.   

Banking and Financial Services   

The threat: the Banking and Financial Services industry faces a specific two-fold challenge: providing a modern, seamless customer experience while also improving information security to keep their customers’ data protected. Even though financial institutions are using third-party services to improve customer communications, payments, and transactions, doing so adds a layer of cyber risk. By relying on external resources, the more likely the organization is to being a victim of a third-party cyber-attack, which, in the United States, cost an average of $5.72 million2.   

On top of this, banks and other financial institutions continue to face challenges securing roving users on shared workstations, more sophisticated cyber attacks driven by artificial intelligence, fraud, and required compliance with a range of stringent regulations, including PCI-DSS, GLBA, and the SOX act.   

The priority: on the cybersecurity side, the Financial Services sector should get cyber insurance, and in order to qualify for it, they must implement cyber security solutions like Multi-factor Authentication. Today, many cyber insurance providers lower premiums when a company has an MFA solution enabled, and on the other hand, they deny companies that do not have one in place.   

In the end, the big picture for the financial services industry is focused on prioritizing two core items:  

  1. Preventative security measures to be as best protected as possible 
  2. Cyber insurance coverage to mitigate damage and help recoup financial losses 

  

State and Local Government   

The threat: state and local government agencies are responsible for protecting some of the most sensitive, classified information, including critical infrastructure. They are also a symbol of trust to the citizens that the server. Government information is not the only thing that needs to be secure, but also the processes that support their unique operations, such as federal, state and local elections.  

Cyber-attacks increased by 95% in this sector3 during the second half of 2022. Compounding that danger is the fact that many government agencies lack the sufficient budget, personnel, and security knowledge to put sufficient cybersecurity measures in place to enhance data security, like Multi-factor Authentication (MFA).    

The priority: In 2023, the government sector must develop its cyber know-how – and that starts with prioritizing the funding of cyber training for employees. Regardless of industry, raising awareness and growing knowledge are the first steps to increasing the overall cybersecurity baseline and then implementing the right solution.   

The second priority should be taking advantage of free, available government agency tools and resources, like the CISA Cyber Program, which lays out three key goals created to address their efforts to reduce cyber risk to control systems. CISA also offers free trainings, courses, and workshops – in addition to their vulnerability assessment. The Department of Defense has also released its Zero Trust Strategy and Roadmap, which includes an awareness training course so all government agencies can learn how well positioned they are currently and what steps they can take to improve.   

   

Healthcare   

The threat: with how much confidential patient information the healthcare industry hosts, it’s clear why it’s a natural target. In fact, 89% of healthcare organizations experienced an average of 43 attacks over the past year, which is one attack every week4. This is troubling since hospitals and healthcare facilities have a direct impact on the wellbeing of human beings, but security oversight in healthcare systems can cost lives. Hospitals need to be sure that when countless orders, tests, and life-saving prescriptions are being placed, only the authorized individual is doing so.    

The priority: like the shared workstation challenge facing many financial institutions, hospitals and care centers are learning how to secure workstations-on-wheels. These mobile workstations are game-changing for hospitals, helping to streamline workflow, better facilitate patient documentation, and ultimately provide better patient treatment in less time.  

While hospitals should always prioritize positive patient outcomes, successfully doing so hinges on the ability to have a secure IAM solution in place that does all the heavy lifting. One of the largest pediatric hospital systems in the United States, for example, has been using BIO-key since 2014 to provide a secure way to authenticate and positively identify their 6,000+ physicians placing EPCS orders with Identity-Bound Biometrics.   

   

Manufacturing   

The threat: when you think of the manufacturing sector, you’re thinking “well, there’s not a lot of consumer data, so why spend a lot of our budget on cybersecurity?”. This is a misconception. For example, with the creation of connected cars, the vast amount of data being collected now needs to be managed and secured with operational technology (OT) cyber security.    

Not only are they targeted for assets, but cybercriminals can cause physical damage to the products or machines. Over the past year, 51% of manufacturing companies experienced cyber attacks on their cloud infrastructure, costing millions of dollars.5  

Lastly, similar to the healthcare and financial industries, manufacturing facilities must learn how to secure shared workstations used by shift-based workers. However, their options are limited when it comes to options for authenticating these workers. Traditional authentication methods like hardware tokens reduce speed and are no longer secure, as they can be stolen, lost or shared, and mobile devices are commonly not permitted on manufacturing floors due to safety concerns.   

The priority: many manufacturing facilities are tasked with completing countless work tasks on a daily basis, and it’s crucial that their daily operations are not hindered, or their business goals blocked. While shared workstations are a great solution to achieve these goals, they present an entire new set of security challenges that must be addressed by implementing a security solution that authenticates the employee’s identity. Identity-Bound Biometrics, which does not require a phone or hardware token, can step in where mainstream solutions fall short, and provide the added benefit of validating each step of the workflow process and time and attendance.   

   

What’s Next for Industries?   

As the cybersecurity market continues to rise, organizations should realize that it’s critical to a business’s infrastructure, goals, and objectives. While it’s not surprising that cyber attacks are going to be more damaging and occur more frequently, it should be surprising that many organizations – across industries – are continuing to deploy a reactive approach to their security strategy and maintain a minimum investment.   

However, if your organization experiences a data breach or attack, there are tools you can have in place to mitigate damage and prevent as much loss as possible – like MFA or Identity-Bound Biometrics.   

If unsure of where or how to start, contact us here and we’ll help you get started today. 

 

Sources: 

1 Cost of cyber security for small to midsized businesses (imagineiti.com) 

2 Spike in destructive attacks, ransomware boosts banks’ cybersecurity spending in 2022 - Insider Intelligence Trends, Forecasts & Statistics 

3 Cyber attacks against governments jumped 95% in last half of 2022, CloudSek says | CSO Online 

4 Direct line between hospital cyber attacks and patient mortality, report shows | Healthcare IT News 

5 Manufacturing Cybersecurity Statistics 2022 [Recent Cyber Attacks, Threats, Risks in Manufacturing Industry] (ecsoffice.com)