Cybersecurity budget gaps leave many companies vulnerable to attacks: study

LAHORE: Globally, 15 percent of companies have experienced cyber incidents due to insufficient cybersecurity investment in the last two years, according to a study by Kaspersky, a global cybersecurity and digital privacy company.

The study, which surveyed IT security professionals from small and medium enterprises (SMEs) and large corporations, found that critical infrastructure, oil and gas and energy organizations suffered the most cyber incidents due to improper budget allocation.

Similarly, one in five companies globally admitted they do not have the budget for adequate cybersecurity measures, resulting in vulnerability of their businesses to cyber-attacks.

Zohiab Khan, chairman of Pakistan Software Houses Association (P@SHA), said that Pakistan’s situation is not much different, but the banks and financial sector are protected due to their required investment in IT infrastructure and human resource development.

"The government is also making investments in the cyberspace protection and making measures by investment on cyber protection," Khan said. However, he added that other businesses including SMEs, need to do more in terms of cybersecurity, especially installing anti-virus software, training and raising awareness among their employees.

“Unfortunately, simple computer operators are assigned the task of cybersecurity in these companies, while they are unable to understand and equip themselves with the latest growing demands of cyber protection of the businesses,” Khan said.

Kaspersky study identified that the telecommunications sector suffered 13 percent of cyber incidents due to budget constraints, while transport and logistics, and financial services companies each saw 8 percent of them.

When asked about the budget for cybersecurity measures, 78 percent of global respondents said they are equipped to keep up with or even stay ahead of new threats. However, 21 percent of companies are not doing so well – 18 percent report that they don’t have sufficient funds to protect the company’s infrastructure properly. At the same time, there are still companies without cost allocations for cybersecurity at all – 3 percent claimed they don’t have a dedicated budget for cyber protection needs.

Many respondents' companies are eager to take steps to strengthen their cybersecurity in the next 1-1.5 years. One of the most popular areas of investment is threat detection software and trainings, where 39 percent of companies plan to allocate budgets for educational programs for cybersecurity professionals and 38 percent for training general staff.

Other popular measures organizations plan to take soon are introducing endpoint protection software, hiring additional IT professionals, and adopting SaaS cloud solutions, Chairman P@SHA also believed that Pakistani companies need to IT awareness among their employees and organized regular trainings.

"The IT awareness can guarantee cyber security, data protection and business viability," he said. "Sometime hackers do not hit the IT database but the lack of proper data security creates problems as the employees did not aware of the protection mechanism and keep their aces easy which is vulnerable and easy to hit the system infrastructures."

Ivan Vassunov, vice president of corporate products at Kaspersky, said that “today, companies must align cybersecurity investment with a business strategy and consider cybersecurity as one of their business goals.”

“The challenges can be met through the use of various modern approaches and technologies. For example, we are investing in developing our SASE portfolio as well as XDR and MDR with integrated AI, Machine Learning, automated detection and response, automated threat investigation, out of the box integrations and much more. To ensure process transparency and prove the value of our solutions, we also provide C-level dashboards and reports,” he added.