There are words and there are actions. The European Union Agency for Cybersecurity has just expressed concern about a drop in 2021 in the budgets devoted to information security for operators of essential services and European digital service providers. However, as the Estonian Juhan Lepassaar, the head of ENISA, reminds us, “the resilience of our critical infrastructures and technologies will strongly depend on our ability to make strategic investments”.
The ? edition of the Cybersecurity NIS Investments report is out.
? Is the money enough to meet new #Cybersecurity standards?
Key findings and full report ➡️https://t.co/LlAIWL93hO #NIS2 pic.twitter.com/Mh2BiThNbG
— ENISA (@enisa_eu) November 23, 2022
Down about 13%
According to the European agency, which surveyed more than a thousand organizations across the EU, the median share of the IT budget devoted to cybersecurity fell from 7.7% to 6.7%, a drop of about 13%. This represents approximately 0.6 million euros for a median IT budget of approximately 10 million euros.
Admittedly, the averages are considerably higher, with an average IT budget of 60 million euros for investments in security of 4 million euros. But for ENISA, the median values are more representative as the averages are driven by the budgets of large organisations.
Cost of a security incident doubled
Figures to be put into perspective with the cost of a security incident, estimated at more than 200,000 euros (median value). This is, notes ENISA, twice as much as last year, which shows that the cost of incidents is on the rise. The costliest security incidents are found in banking and healthcare organizations.
For 69% of respondents, the majority of security incidents are due to the exploitation of software or hardware vulnerabilities. While 46% of operators of essential services and digital service providers patch critical vulnerabilities within less than a month, only 92% have done so within six months of discovery, meaning that there is still 8% of vulnerable organizations.
Broken cyber insurance
ENISA finally notes the decline in organizations using cyber insurance, a subject on the table of the French Parliament which is working on strengthening the legal framework. While 43% of respondents indicated last year that they had subscribed to a formula, they are only 30% in 2021.
“The gap is very marked between large companies and SMEs”, underlines the European agency, which calls for “improving the awareness of small companies” and a more targeted cyber insurance offer for this type of profile.