Menu
Is free
registration
home  /  Installation and configuration/ Accounting for information protection costs. Direct and indirect costs of protecting the information of the enterprise Mass media

Accounting for information protection costs. Direct and indirect costs of protecting the information of the enterprise Mass media

2018-08-21T12: 03: 34 + 00: 00

Large commercial companies spend about 1% of their annual revenue on ensuring the physical security of their business. Enterprise security is as much a resource as technologies and means of production. But when it comes to digital protection of data and services, it becomes difficult to calculate the financial risks and necessary costs. We tell you how much money from the IT budget it is reasonable to allocate for cybersecurity, is there a minimum set of tools that can be dispensed with.

Security costs are on the rise

Commercial organizations around the world, according to report Gartner, spent about $ 87 billion on cybersecurity needs in 2017, including software, specialized services and hardware. This is 7% more than in 2016. This year, the figure is expected to reach 93 billion, and next year it will cross the 100 mark.

According to experts, the market for information security services in Russia is about 55-60 billion rubles (about 900 thousand dollars). 2/3 of it is closed by government orders. In the corporate sector, the share of such costs strongly depends on the form of the enterprise, geography and field of activity.

Domestic banks and financial structures on average invest in their cybersecurity 300 million rubles a year, industrialists - up to 50 million, network companies (retail) - from 10 to 50 million.

On the other hand, the growth figures for the Russian cybersecurity market have been 1.5-2 times higher for several years than on a global scale. In 2017, the growth was 15% (in terms of customers' money) in relation to 2016. By the end of 2018, it may turn out to be even more impressive.

The high growth rates are explained by the general revival of the market and the sharply increased attention of organizations to the real security of their IT infrastructure and the safety of data. System building costs information protection are now considered as investments, they are planned in advance, and not just taken on a leftover basis.

Positive Technologiessingles out three drivers of growth:

  1. High-profile incidents of the last 1.5-2 years have led to the fact that today only the lazy does not understand the role of information security for the financial stability of an enterprise. One in five top managers takes an interest in practical security in the context of their business.

The past year has been instructive for businesses that ignore the elementary ... Absence actual updates and the habit of working without regard to vulnerabilities led to the shutdown of Renault plants in France, Honda and Nissan in Japan; banks, energy, telecommunications companies were affected. Maersk, for example, cost $ 300 million at a time.

  1. Epidemics WannaCry ransomware viruses, NotPetya, Bad Rabbit taught domestic companies that installing antiviruses and firewalls is not enough to feel safe. You need a comprehensive strategy, an inventory of your IT assets, dedicated resources, a threat response strategy.
  2. In a sense, the tone is set by the state, which has announced a course towards a digital economy covering all spheres (from healthcare and education to transport and finance). This policy directly affects the growth of the IT sector in general and information security in particular.

The cost of security vulnerabilities

All of this is instructive, but every business is a unique story. The question of how much to spend on information security from the general IT budget of the company, although not correct, but, from the point of view of the customer, is the most pressing one.

International research company IDC on the example of the Canadian market calls optimal 9.8-13.7% of investments in cybersecurity of the total IT budget in the organization. That is, now the Canadian business spends on average about 10% for these needs (it is believed that this is an indicator of a healthy company), but, judging by the polls, it would like to be closer to 14%.

Companies have no reason to wonder how much they need to spend on their information security in order to feel calm. Today, assessing the risks from cybersecurity incidents is no more difficult than calculating the losses from physical threats. There is a worldwide statistics , according to which:

  • Hacker attacks cost the global economy more than $ 110 billion annually.
  • For small businesses, each incident costs an average of $ 188,000.
  • 51% of hacks in 2016 were targeted, that is, organized criminal groups against a specific company.
  • 75% of attacks are carried out with the aim of causing material damage, financially motivated.

In the spring of 2018, Kaspersky Lab carried out its large-scale study ... According to a survey of 6 thousand company specialists around the world, the damage from corporate network hacks and data leaks has grown by 20-30% over the past couple of years.

The average cost of damage for February 2018 for commercial organizations, regardless of size, scope of activity, was $ 1.23 million. For SMEs, a mistake by personnel or successful actions of hackers cost 120 thousand dollars.

Feasibility study for information security

In order to correctly assess the financial resources necessary for organizing information security at the enterprise, it is necessary to draw up a feasibility study.

  1. We carry out an inventory of IT infrastructure and assess risks, compile a list of vulnerabilities in descending order of importance. Reputational losses (an increase in insurance rates, a decrease in the credit rating, the cost of downtime of services), the cost of restoring the system (updating equipment and software) are also included here.
  2. We prescribe the tasks that the information security system should solve.
  3. We select equipment, tools for solving problems, and determine its cost.

If the company does not have the competencies to assess cybersecurity threats and risks, you can always order an information security audit on the side. Today this procedure is short-lived, inexpensive and painless.

Industrial companies with a high level of process automation experts recommend use an adaptive security architecture model (Adaptive Security Architecture), proposed in 2014 by Gartner. It allows you to properly reallocate information security costs, paying more attention to the tools for detecting and responding to threats, and implies the implementation of a monitoring and analytics system for the IT infrastructure.

How much cybersecurity costs for small companies

The authors of the Capterra blog decided count how much the information security system costs on average for small and medium-sized businesses in the first year of use. For this was chosen list out of 50 popular "box" offers on the market.

It turned out that the range of prices is quite large: from $ 50 per year (there are even 2-3 free solutions for small companies) up to 6 thousand dollars (there are single packages and 24 thousand each, but they were not included in the calculation). On average, a small business can count on $ 1,400 to build elementary system protection against cyber threats.

The cheapest are technical solutions such as a business VPN or email protection that can help protect against specific types of threats (such as phishing)

At the other end of the spectrum are complete monitoring systems with “advanced” event response and comprehensive protection tools. They help protect corporate network from large-scale attacks and sometimes even allow predicting their appearance, stopping them in the early stages.

The company can choose several models of payment for the information security system:

  • Price per license, Average price - $ 1000-2000, or $ 26 to $ 6000 per license.
  • Price per user. The average cost of an information security system per user in a company is $ 37, the range is from $ 4 to $ 130 per person per month.
  • The price for the connected device. The average cost for this model is $ 2.25 per device. The price ranges from $ 0.96 to $ 4.5 per month.

To correctly calculate the cost of information security, even a small company will have to implement the basics of risk management. The very first incident (site, service, payment system fell), which cannot be corrected within 24 hours, can lead to the closure of the business.

"Financial newspaper. Regional edition", 2008, N 41

In modern conditions, the importance of ensuring information security cannot be underestimated. The slightest leak of confidential information to competitors can lead to large economic losses for the company, production stoppages and even bankruptcy.

The objectives of information security are: prevention of leakage, theft, loss, distortion, forgery of information; prevention of unauthorized actions to destroy, modify, distort, copy, block information; prevention of other forms of illegal interference with information resources and Information Systems organizations.

The costs of protecting information mainly include the acquisition of means to ensure its protection from unauthorized access. There are a lot of information security tools, conditionally they can be divided into two large groups. The first is funds that have a material basis, such as safes, CCTV cameras, security systems, etc. In accounting, they are accounted for as fixed assets. The second is means that have no material basis, such as antivirus software, programs for restricting access to information in in electronic format etc. Consider the features of accounting for such information security tools.

When purchasing a program to ensure the protection of information, exclusive rights to it do not pass to the buyer; only a protected copy of the program is purchased, which the buyer cannot copy or distribute. Therefore, when considering such programs, one should be guided by Ch. VI "Accounting for transactions related to the granting (obtaining) of the right to use intangible assets" of the new PBU 14/2007 "Accounting for intangible assets".

In rare cases, when acquiring information security programs, the company acquires exclusive rights to this product... In this case, the program will be accounted for in accounting as intangible assets (intangible assets).

According to PBU 14/2007 in accounting, intangible assets provided for use under a license agreement, payments for the right to use which are made in the form of a fixed one-time payment and the exclusive rights to which do not pass to the buyer, must be accounted for by the recipient as deferred expenses and reflected on an off-balance sheet account (clause 39). In this case, the period during which these expenses will be written off to expense accounts is established by the license agreement. In tax accounting, the costs of acquiring information protection software for tax purposes are accounted for as other expenses and written off in the same way - equal parts within the period established in the license agreement (subparagraph 26 of paragraph 1 of article 264 of the Tax Code of the Russian Federation).

If payment for the right to use a software product that provides information protection is made in the form of periodic payments, then according to clause 39 of PBU 14/2007, they are included by the user in the expenses of the reporting period in which they were made.

In practice, the license agreement does not always indicate the term of use of the software. When the relationship between income and expenses cannot be clearly determined, in tax accounting, the costs of acquiring programs for information protection are allocated by the taxpayer independently for the purpose of calculating income tax, taking into account the principle of uniformity of recognition of income and expenses (clause 1 of article 272 of the Tax Code of the Russian Federation). In accounting, the period during which these expenses will be debited from account 97 is established by the management of the enterprise based on the expected time of using the program.

Example 1... OJSC "Alpha" acquired a licensed copy of the anti-virus program from LLC "Betta" for 118,000 rubles, including VAT (18%). The license agreement establishes a period of use of the program for 9 months.

In the accounting of OJSC "Alpha" the program should be taken into account as follows:

D-t 60, K-t 51 - 118,000 rubles. - the cost of the software has been paid to the supplier;

D-t 60, K-t 97 - 100,000 rubles. - the received program is reflected as deferred expenses;

D-t 002 - 100,000 rubles. - the received program is reflected in the off-balance sheet account;

D-t 19, K-t 60 - 18,000 rubles. - VAT allocated;

D-t 68, K-t 19 - 18,000 rubles. - accepted for deduction of VAT;

D-t 26 (44), K-t 97 - 11,111.11 rubles. (100,000 rubles: 9 months) - every month for 9 months the cost of the anti-virus program is written off to expenses in equal parts.

Let's change the conditions of example 1: let's say that OJSC "Alpha" makes the payment not in a lump sum, but in equal installments throughout the entire validity period of the license agreement. The payments will amount to 11,800 rubles. for each month, including VAT.

In this case, the following entries will be made in accounting:

D-t 002 - 90,000 rubles. (10,000 rubles x 9 months) - the received program is reflected in the off-balance sheet account;

D-t 60, K-t 51 - 11 800 rubles. - monthly within 9 months the supplier is paid the cost of the software product;

D-t 19, K-t 60 - 1800 rubles. - VAT allocated;

D-t 26 (44), K-t 60 - 10,000 rubles. - the cost of the program has been written off as expenses;

D-t 68, K-t 19 - 1800 rubles. - accepted for deduction of VAT.

Often, before the expiration of the license agreement, the company - the developer of information security software releases their update. In this case, expenses in accounting and tax accounting will be accepted as a lump sum upon updating.

It is also common practice when a development company provides its software to organizations for a short period of time for review. In order to correctly reflect the information security program received free of charge, it must be taken into account as part of deferred income at market value.

Example 2... Betta LLC provided OJSC Alfa with information security software for a period of 3 months free of charge. The market price of this software product is 3300 rubles.

The following entries should be made in the accounting records of OJSC "Alpha":

D-t 97, K-t 98 - 3300 rubles. - taken into account the software received free of charge;

D-t 98, K-t 91 - 1100 rubles. - monthly for three months, a part of deferred income is accepted as other income.

In tax accounting, income from a program received free of charge will also be accepted within three months (clause 2 of article 271 of the Tax Code of the Russian Federation).

The costs of information protection include not only the acquisition of information security tools, but also the cost of consulting (information) services for information protection (not related to the acquisition of intangible assets, fixed assets or other assets of the organization). According to clause 7 of PBU 10/99 "Organization expenses", the costs of consulting services in accounting are included in the composition of expenses for ordinary activities in the reporting period when they were incurred. In tax accounting, they refer to other expenses associated with the production and sale of products (subparagraph 15 of paragraph 1 of article 264 of the Tax Code of the Russian Federation).

Example 3... Betta LLC provided information security consulting services to Alfa OJSC for a total amount of 59,000 rubles, including VAT - 9,000 rubles.

The following entries should be made in the accounting records of OJSC "Alpha":

D-t 76, K-t 51 - 59,000 rubles. - paid for consulting services;

D-t 26 (44), CT 76 - 50,000 rubles. - Consulting services on information security are written off as expenses for ordinary activities;

D-t 19, K-t 76 - 9,000 rubles. - VAT allocated;

D-t 68, K-t 19 - 9000 rubles. - accepted for deduction of VAT.

Enterprises that use the simplified tax system as expenses that reduce the taxable base for income tax, in accordance with paragraphs. 19 p. 1 of art. 346.16 of the Tax Code of the Russian Federation will be able to accept only the costs of purchasing information security software. Information security consulting costs in Art. 346.16 of the Tax Code of the Russian Federation are not mentioned, therefore, for the purposes of taxation of the profits of the organization, they are not entitled to accept them.

V.Schanikov

Auditor assistant

audit department

Baker Tilly Rusaudit LLC

Purpose of the study: to analyze and determine the main trends in the Russian information security market
Used the data of Rosstat (statistical reporting forms No. 3-Inform, P-3, P-4), Financial statements of enterprises, etc.

Use of information and communication technologies and information security tools by organizations

  • To prepare this section, aggregated, geographically separate divisions and representative offices were used (Form 3-Inform "Information on the use of information and communication technologies and the production of computers, software and services in these areas".

The period 2012-2016 is analyzed. The data do not claim to be complete (since they are collected for a limited number of enterprises), but, in our opinion, can be used to assess trends. The number of responding enterprises for the period under review ranged from 200 to 210 thousand. That is, the sample is fairly stable and includes the most likely consumers (large and medium-sized enterprises), which account for the bulk of sales.

Availability of personal computers in organizations

According to the statistical reporting form 3-Inform, in 2016 in the Russian organizations that provided information on this form, there were about 12.4 million units personal computers(PC). By PC, in this case, we mean desktop and laptop computers, this concept does not include mobile Cell Phones and pocket computers.

Over the past 5 years, the number of PC units in organizations, in Russia as a whole, has grown by 14.9%. The most equipped federal district is the Central Federal District, it accounts for 30.2% of PCs in companies. The undisputed leader in this indicator is the city of Moscow; according to data for 2016, Moscow companies have about 1.8 million PCs. The lowest value of the indicator was noted in the North Caucasus Federal District, in the organizations of the district there are only about 300 thousand PC units, the smallest number in the Republic of Ingushetia - 5.45 thousand units.

Rice. 1. Number of personal computers in organizations, Russia, mln.

Information and communication technology spending by organizations

In the period 2014-2015. due to the unfavorable economic environment, Russian companies were forced to minimize their costs, including the cost of information and communication technology... In 2014, the cost reduction for the ICT sector was 5.7%, but already by the end of 2015, there was a slight positive trend. In 2016, the costs of Russian companies on information and communication technologies amounted to 1.25 trillion. rubles, exceeding the indicator of the pre-crisis 2013 by 0.3%.

The main part of the costs falls on companies located in Moscow - over 590 billion rubles, or 47.2% of the total. The largest volumes of expenses of organizations on information and communication technologies in 2016 were recorded in: Moscow region - 76.6 billion rubles, St. Petersburg - 74.4 billion rubles, Tyumen region - 56.0 billion rubles, the Republic of Tatarstan - 24.7 billion rubles, the Nizhny Novgorod region - 21.4 billion rubles. The lowest expenditures were recorded in the Republic of Ingushetia - 220.3 million rubles.

Rice. 2. The amount of companies' expenditures on information and communication technologies, Russia, billion rubles.

Use of information security tools by organizations

Recently, there has been a significant increase in the number of companies using information security protection tools. The annual growth rates of their number are quite stable (with the exception of 2014), and amount to about 11-19% per year.

According to official data from Rosstat, the most demanded means of protection are currently technical means user authentication (tokens, USB keys, smart cards). Of more than 157 thousand companies, 127 thousand companies (81%) indicated the use of these particular tools as information protection.

Rice. 3. Distribution of organizations by the use of information security tools, in 2016, Russia,%.

According to official statistics, in 2016, 161,421 companies used the global Internet for commercial purposes. Among organizations that use the Internet for commercial purposes and have indicated the use of information security tools, the electronic digital signature is the most popular. More than 146 thousand companies, or 91% of the total, indicated this tool as a means of protection. According to the use of information security tools, the companies were distributed as follows:

    • Means of electronic digital signature - 146,887 companies;
    • Regularly updated anti-virus programs - 143,095 companies;
    • Software or hardware that prevents unauthorized access of malicious programs from global information or local area networks (Firewall) - 101,373 companies;
    • Spam filter - 86,292 companies;
    • Encryption tools - 86 074 companies;
    • Computer or network intrusion detection systems - 66,745 companies;
    • Software tools for automation of security analysis and control processes computer systems- 54 409 companies.

Rice. 4. Distribution of companies using the Internet for commercial purposes, by means of protecting information transmitted over global networks, in 2016, Russia,%.

In the period 2012-2016, the number of companies using the Internet for commercial purposes increased by 34.9%. In 2016, 155,028 companies used the Internet to connect with suppliers and 110,421 companies to communicate with consumers. Of the companies using the Internet to communicate with suppliers, the purpose of use was indicated:

  • obtaining information about the necessary goods (works, services) and their suppliers - 138,224 companies;
  • providing information about the needs of the organization in goods (works, services) - 103 977 companies;
  • placing orders for goods (works, services) necessary for organizations (excluding orders sent by e-mail) - 95 207 companies;
  • payment for the supplied goods (works, services) - 89,279;
  • receipt of electronic products - 62,940 companies.

Of the total number of companies using the Internet to communicate with consumers, the purpose of use was indicated:

  • providing information about the organization, its goods (works, services) - 101,059 companies;
  • (works, services) (excluding orders sent by e-mail) - 44 193 companies;
  • electronic settlements with consumers - 51,210 companies;
  • distribution of electronic products - 12,566 companies;
  • after-sales service (service) - 13 580 companies.

The volume and dynamics of the budgets of federal executive authorities for information technology in 2016-2017

According to the Federal Treasury, the total amount of limits of budgetary obligations for 2017, brought to the attention of the federal executive authorities (hereinafter the federal executive body) under the expense type code 242 "Purchase of goods, works, services in the field of information and communication technologies" in terms of information that does not constitute state secret, as of August 1, 2017 amounted to 115.2 billion rubles, which is about 5.1% more than the total volume of budgets for information technologies of federal executive authorities in 2016 (109.6 billion rubles, according to the Ministry of Telecom and Mass Communications). Thus, with the continued growth of the total volume of IT budgets of federal agencies from year to year, the growth rate decreased (in 2016, the total volume of IT budgets increased by 8.3% compared to 2015). Wherein there is an ever-increasing stratification of "rich" and "poor" in terms of spending on information and communication technology departments. The undisputed leader not only in terms of the size of the budget, but also in terms of the level of achievements in the field of IT is the Federal Tax Service. Its ICT budget this year is more than 17.6 billion rubles, which is more than 15% of the budget of all federal executive authorities. The total share of the top five (Federal Tax Service, Pension Fund, Treasury, Ministry of Internal Affairs, Ministry of Telecom and Mass Communications) is more than 53%.

Rice. 5. Structure of budget expenditures for the purchase of goods, works and services in the field of information and communication technologies in the context of federal executive authorities in 2017,%

Legislative regulation in the field of procurement of software for state and municipal needs

From January 1, 2016, all state and municipal bodies, state corporations Rosatom and Roskosmos, governing bodies of state extra-budgetary funds, as well as state and budgetary institutions carrying out purchases in accordance with the requirements of Federal Law No. 44 of April 5, 2013 -FZ "On the contractual system in the field of procurement of goods, works, services to meet state and municipal needs" are obliged to comply with the ban on the admission of software originating from foreign countries for the purpose of making purchases to meet state and municipal needs. The ban was introduced by the Decree of the Government of the Russian Federation of November 16, 2015 No. 1236 "On the establishment of a ban on the admission of software originating from foreign countries for the purpose of making purchases to meet state and municipal needs." When purchasing software, the aforementioned customers must explicitly indicate the prohibition to purchase imported software in the purchase notice. The prohibition applies to the procurement of software for electronic computers and databases, implemented regardless of the type of contract on a tangible medium and (or) in electronic form via communication channels, as well as exclusive rights to such software and the rights to use such software.

There are a few exceptions when customers are allowed to purchase imported software.

  • procurement of software and (or) rights to it by diplomatic missions and consular offices of the Russian Federation, trade missions of the Russian Federation with international organizations to ensure their activities in a foreign state;
  • procurement of software and (or) rights to it, information about which and (or) the procurement of which constitutes a state secret.

In all other cases, the customer, prior to purchasing software, will need to work with a unified register of Russian programs for electronic computers and databases and a classifier of programs for electronic computers and databases.
The Ministry of Telecom and Mass Communications of Russia is engaged in the formation and maintenance of the register as an authorized federal executive body.
As of the end of August 2017, the register contains 343 software products belonging to the class of "information security tools" of 98 Russian development companies. Among them are software products of such major Russian developers as:

  • JSC "Information Technologies and Communication Systems" ("InfoTeKS") - 37 software products;
  • AO Kaspersky Lab - 25 software products;
  • Security Code LLC - 19 software products;
  • Crypto-Pro LLC - 18 software products;
  • Doctor WEB LLC - 12 software products;
  • LLC "S-Terra CSP" - 12 software products;
  • CJSC "Aladdin R.D." - 8 software products;
  • Infovatch JSC - 6 software products.

Analysis of the activities of the largest players in the field of information security

  • As the main information for the analysis of the activities of the largest players in the information security market, for the preparation of this study, we used information on public procurement in the field of information and communication activities and, in particular, information security.

To analyze trends, we selected 18 companies that are among the leaders in the information security market and are actively involved in government procurement. The list includes both the developers of software and hardware and software protection systems, and the largest system integrators. The total revenue of these companies in 2016 amounted to 162.3 billion rubles, exceeding the indicator of 2015 by 8.7%.
Below is a list of companies selected for the study.

Tab. 1. Companies selected for research

Name INN Type of activity (OKVED 2014)
1 I-Teco, JSC 7736227885 Activities related to the use of computers and information technology, other (62.09)
2 Croc Incorporated, JSC 7701004101
3 "Informzashita", CJSC NIP 7702148410 Research and development on social sciences and humanities (72.20)
4 Softline Trade, JSC 7736227885
5 Technoserv AS, LLC 7722286471 Wholesale of other machinery and equipment (46.69)
6 Elvis-plus, JSC 7735003794
7 Asteros, JSC 7721163646 Wholesale trade in computers, peripherals to computers and software (46.51
8 "Production company Aquarius", LLC 7701256405
9 Lanit, JSC 7727004113 Wholesale of other office machinery and equipment (46.66)
10 Jet Infosystems ", JSC 7729058675 Wholesale of computers, computer peripherals and software (46.51)
11 "Dialogue Science" JSC 7701102564 Computer software development (62.01)
12 "Factor-TS", LLC 7716032944 Manufacture of computers and peripheral equipment (26.20)
13 Infotecs, OJSC 7710013769 Computer software development (62.01)
14 "Ural Center for Security Systems", LLC 6672235068 Activities in the field of architecture, engineering research and the provision of technical advice in these areas (71.1)
15 "ICEl-KPO VS", JSC 1660014361 Computer software development (62.01)
16 NVision Group, JSC 7703282175 Wholesale trade, non-specialized (46.90)
17 "Confident-integration", LLC 7811512250 Data processing, hosting and related activities (63.11)
18 "Kaluga astral", JSC 4029017981 Advisory activities and work in the field of computer technology (62.02

As of the end of October 2017, companies from the sample presented have concluded 1,034 contracts with government agencies in the amount of 24.6 billion rubles. I-Teco is the leader in this list in terms of the volume of concluded contracts - 74 contracts worth 7.5 billion rubles.
Over the past years, with the exception of the crisis year 2014, one can note a constant increase in the total volume of contracts for the selected companies. The most significant dynamics falls on the period 2015-2016. Thus, in 2015, the volume of contracts increased by more than 3.5 times, in 2016 - by 1.5 times. According to the available data on the contract activities of companies for the period January-October 2017, it can be assumed that in 2017 the total volume of contracts with government agencies will be about 37-38 billion rubles, that is, a decrease of around 40% is expected.

The Kaspersky Lab Global Corporate IT Security Risks Survey is an annual analysis of corporate information security trends around the world. We consider such important aspects of cybersecurity as the amount of information security costs, the current types of threats for various types of companies and the financial consequences of confronting these threats. In addition, by gaining insight into information security budgeting from executives, we can see how companies around the world are responding to changes in the threat landscape.

In 2017, we tried to understand whether companies see information security as a cost source (a necessary evil for which they have to spend money), or are beginning to consider it a strategic investment (that is, a means of ensuring business continuity that provides significant benefits in an era of rapidly developing cyber threats).

This is a very important issue, especially since the IT budget has been declining in most regions of the world.

In Russia, however, 2017 saw a slight increase in the average security budget - 2%. The average information security budget in Russia was about 15.4 million rubles.

This report details the types of threats faced by companies of all sizes, as well as patterns in the distribution of IT costs.

General information and research methodology

Kaspersky Lab's global corporate IT Security Risks Survey is a survey of IT managers in their organizations that has been conducted annually since 2011.

The most recent data was collected in March and April 2017. A total of 5,274 respondents from more than 30 countries were interviewed, companies of various sizes participated in the study.

The following designations are sometimes used in the report: small business - less than 50 employees, SMB (medium and small business - from 50 to 250 employees) and large business (companies with a staff of 250 or more people). The current report presents an analysis of the most indicative parameters from the survey.

Main conclusions:

It is becoming more difficult for companies of all sizes to deal with cyber threats, and protection costs are increasing as well. In Russia, in the segment of medium and small business, the average cost of eliminating the consequences of just one cyber incident is 1.6 million rubles, and for the segment of large business, the cost is 16.1 million rubles.

The share of the IT budget devoted to information security is growing. This is true for companies of all sizes. At the same time, the total amount of the budget remains low, and in Russia the growth was only 2%, so specialists are forced to carry out their tasks with few resources.

The damage from an incident alone is growing, and companies that do not prioritize information security costs may soon face major challenges. The study showed that in the SMB segment, companies spend about 300 thousand rubles for each security incident on additional payments to staff, and large corporations can spend 2.7 million rubles to reduce damage to the brand.

Damage from security incidents

The damage from cybersecurity incidents continues to grow, as companies have to deal with a myriad of consequences, from additional public outreach to hiring new employees. In 2017, there was a further increase in financial losses in the event of data integrity violations. This should influence the approach to this issue: companies will no longer see the costs of cybersecurity as a necessary evil and will begin to view them as investments that will avoid significant monetary losses in the event of an attack.

Serious data integrity violations are getting more and more expensive

The biggest concern for CTOs is massive attacks that leak millions of records. These were the attacks on the UK National Health Service (NHS), Sony or the HBO hack with the release of confidential data related to the series "Game of Thrones". In reality, however, such major incidents are the exception rather than the rule. Most cyberattacks did not make headlines until last year and remained the domain of special reports for specialists. Of course, the ransomware epidemics have changed the situation a little, but still the corporate segment of the business does not understand the whole picture.

The relatively small number of known large-scale cyberattacks does not mean that the damage from most attacks is insignificant. So, how much on average do companies spend on fixing a “typical” data integrity violation? We asked survey participants to estimate how much their company spent / lost as a result of any security incident that occurred in the past year.

All companies with 50 or more employees were required to estimate the costs incurred in each of the following categories:

For each of the categories, we calculated the average costs incurred by companies faced with information security incidents, and the sum of all categories allowed us to estimate the amount of total damage caused by an information security incident.

The results for the SME segment and large business are separately shown below, since the statistics for them differ in many respects. For example, the average damage for Russian SMB companies is almost 1.6 million rubles, while for large businesses it is almost ten times higher - 16.1 million rubles. This shows that cyberattacks are costly for companies of all sizes.

It is not surprising that large businesses, on average, suffer more losses when data integrity is violated, but it is interesting to analyze the distribution of damage by category.

In the past year, employee benefits were the largest expense for both SMB and large businesses. However, this year the picture has changed, with different types of expenses becoming the main ones for companies of different sizes. Small and medium-sized businesses still lose the most on employee benefits. But big business began to invest in additional PR in order to reduce damage to the brand's reputation. In addition, a significant cost item for large businesses was the cost of improving technical equipment and purchasing additional software.

For all companies, the cost of employee training has increased. Security incidents often make companies realize the importance of increasing cyber literacy and improving threat intelligence.

The more extensive internal resources of large companies and the specifics of the regulation of their activities determine a different balance between the costs of eliminating the threat itself and the costs of compensation for damage. Increased insurance premiums, deteriorating credit ratings and undermining confidence in the company were a serious expense item: on average, after each incident large companies lose about 2.3 million rubles on this.

Our research showed that much of the cost increases were due to the need to prevent - or at least reduce - reputational losses in the form of credit ratings, brand image and compensation.

Due to the widespread implementation of new regulations, average damage is likely to continue to grow, as companies will have to publicly report all incidents and increase the transparency of data protection.

Such trends are typical, for example, in Japan, where the average cost of eliminating the consequences of a security breach has more than doubled: from $ 580,000 in 2016 to $ 1.3 million in 2017. The Japanese government has taken steps to tighten regulatory requirements in response to an increase in cybersecurity threats. In 2017, new laws came into force, which caused a sudden rise in costs.

However, the development and implementation of laws takes time. With the rapidly evolving corporate IT landscape and the evolution of cyber threats, regulatory lag is becoming a major challenge. For example, new Japanese standards were agreed in 2015, but their entry into force had to be postponed for two whole years. For many, the delay came at a cost: over the past two years, a number of large Japanese companies fell victim to costly attacks. One example is travel company JTB Corp., which faced a huge leak in 2016. Data from 8 million customers were stolen, including names, addresses and passport numbers.

This is one of the symptoms of a global problem: threats are developing rapidly, and the inertia of governments and companies is too high. Another example of tightening the screws is the European Data Protection Regulation (GDPR), which comes into force in May 2018 and significantly limits the acceptable ways of processing and storing data of EU citizens.

Laws are changing all over the world, but they cannot keep up with cyber threats - three waves of ransomware in 2017 reminded about this in Russia. Therefore, the business should be aware of the imperfect legislation and strengthen protection in accordance with the factual circumstances - or put up with the damage to reputation and customers in advance. It is worth preparing for new regulatory requirements without waiting for deadlines. Changing policies after the relevant laws are released, companies risk not only fines, but also the security of their and customer data.

There are no stranger vulnerabilities: partner security breaches are expensive

To protect against data leaks, it is very important to understand which attack vectors are used by attackers. In turn, this information will help you understand which types of attacks are the most costly.

The survey showed that the following incidents had the most severe financial consequences for medium and small businesses:

  • Incidents affecting infrastructure hosted on third-party equipment (RUB 17.2 million)
  • Incidents affecting third parties cloud services used by the company (3.6 million rubles)
  • Improper data exchange via mobile devices (RUB 2.5 million)
  • Physical loss of mobile devices, exposing the organization to risks (RUB 2.1 million)
  • Incidents related to non-computing devices connected to the Internet (for example, industrial control systems, the Internet of Things) (1.7 million rubles)

The situation with big business is somewhat different:

  • Targeted attacks (RUB 75 million)
  • Incidents affecting third-party cloud services (RUB 19 million)
  • Viruses and malware (RUB 9 million)
  • Improper data exchange via mobile devices (RUB 7.3 million)
  • Incidents affecting suppliers with whom companies exchange data (4.4 million rubles)

From this data, it can be seen that, very often, attacks caused by security problems with business partners cost companies of all sizes the most expensive. This applies to both organizations that rent cloud or other infrastructure from third-party providers, and companies that exchange their data with partners.

Once you give another company access to your data or infrastructure, their weaknesses become your problem. However, we have already observed that most organizations do not attach sufficient importance to this. Therefore, it is not surprising that incidents of this kind are the most costly: any boxer will tell you that it is the unexpected blow that usually knocks out.

Also immediately noticeable is another vector that has unexpectedly entered the top 5 threats for midsize business: attacks involving connected devices other than computers. Today, Internet of Things (IoT) traffic is growing much faster than traffic generated by any other technology. This is another example of how new developments are increasing the number of potential vulnerabilities in business infrastructure. In particular, the widespread use of factory default passwords and weak security features on IoT devices has made them an ideal catch for botnets such as Mirai, malware that can combine a huge number of vulnerable devices into a single network to launch large-scale DDoS attacks against selected targets.

Attention is drawn to the amount of loss from targeted attacks in the large business segment - this threat is extremely difficult to counter. Over the past couple of years, a number of high-profile targeted attacks on banks have become known, which also reinforces these disappointing statistics.

Investing in risk reduction

As our research has shown, threats to information security are becoming more serious. In these conditions, one cannot but worry about the state of the information security budgets themselves. By analyzing their changes, we can decide whether organizations see their security as a source of costs, or the balance is gradually changing, and they are beginning to see a field for investments that give a real competitive advantage.

The size of the budget shows the company's attitude towards IT security, the importance of the role of the security system from the point of view of management, and the organization's willingness to take risks.

Information security budget: the share is growing, the "pie" is decreasing

This year, we see that savings and outsourcing have led to shrinking IT budgets. Despite this (and perhaps because of this), the share of information security in these IT budgets has increased. In Russia, a positive trend can be seen in companies of all sizes. Even among micro-businesses operating in conditions of lack of resources, the share of IT budgets devoted to information security has grown, albeit by a fraction of a percent.

This means that companies are finally starting to understand the importance of information security. Perhaps this shows that information security began to be perceived by many as a potentially useful investment, and not as a source of costs.

We are seeing that in the world, IT budgets are significantly reduced. While cyber security is gaining a larger piece of the pie, the pie itself is shrinking. The trend is worrisome, especially given how high the stakes are in this area and how expensive each attack is.

In Russia, the average information security budget for large businesses in 2017 reached 400 million rubles, and for SMB - 4.6 million rubles.

Sample: 694 respondents in Russia able to assess the budget

Unsurprisingly, government service providers (including the defense sector) and financial institutions around the world report the highest information security spending this year. Businesses in both of these sectors spent an average of more than US $ 5 million on security. It is worth noting that the IT and telecommunications sector, as well as companies in the energy sector, also spent more than average on information security, although their budgets turned out to be closer to $ 3 million, not $ 5.

However, if you divide the total costs by the number of employees, then government organizations move towards the end of the list. On average, IT and telecoms spend $ 1258 per capita on information security, while the energy sector spends $ 1344 and finance companies $ 1436. By comparison, government agencies allocate only US $ 959 per person for cybersecurity.

Both in the IT and telecommunications segment and in the energy supply industry, high costs per employee are most likely associated with the need to protect intellectual property, which is especially urgent in these sectors of the economy. In the case of utilities, the high costs of protection can also be attributed to the fact that these companies are increasingly vulnerable to targeted attacks by malicious groups.

In this industry, investment in information security is essential to survival because business continuity is critical to the power supply. The consequences of a successful cyberattack in this industry are especially difficult, so investments in information security acquire very tangible benefits.

In Russia, IT and telecommunications are primarily invested in information security, as well as industrial enterprises - the average costs for the former reach 300 million rubles, for the latter - 80 million rubles. Industrial and manufacturing companies tend to rely on automated systems management system (ICS) to ensure the continuity of production processes. At the same time, attacks on ICS are increasing in number: over the past 12 months, their number has grown by 5%.

Reasons for Investing in Information Security

The spread of the amounts of investments in information security between sectors is very large. Therefore, it is especially important to find out the reasons that induce companies to spend limited resources on information security. Without knowing the motives, it is impossible to understand whether the company considers the money spent on the security of the IT infrastructure wasted or considers it as a profitable investment.

In 2017, significantly more companies around the world admitted they were going to invest in cybersecurity regardless of the expected return on investment: 63%, up from 56% in 2016. This shows that more and more companies understand the importance of information security.

The main reasons for the increase in the information security budget, Russia

Not all companies expect a quick return on investment, but many global companies cited pressure from key stakeholders, including the company's top management (32%), as the reason for the increase in information security budgets. This shows that companies are beginning to see their strategic advantage in the growth of information security costs: security measures allow not only to protect themselves in the event of an attack, but also to demonstrate to customers that their data is in safe hands, as well as to ensure business continuity, in which the company's management is interested. ...

The most popular reason for increasing the cost of information security most domestic companies named the need to protect an increasingly complex IT infrastructure (46%), and the need to improve the qualifications of information security experts noted 30%. These numbers indicate the need to improve the level of expertise available to the company by developing the skills of its own employees. Indeed, both small and medium-sized and large enterprises are increasingly investing in supporting their internal workforce in the fight against cyber threats.

At the same time, the need to increase information security costs due to new business operations or company expansion among Russian businesses has decreased: from 36% last year to 30% in 2017. Perhaps it reflects the macroeconomic factors that our companies have had to face recently.

Conclusion

Mass attacks such as WannaCry, exPetr, and BadRabbit caused massive damage in 2017. The damage is also great from targeted attacks, in particular on Russian banks. All of this demonstrates that the cyber threat landscape is changing rapidly and inevitably. Companies have to adapt their defenses or be left out of business.

An increasingly significant factor in business decision making is the difference between the cost of preparing to fend off cyberattacks and the costs incurred by the victim.

The report shows that even relatively small data breaches that are not of interest to the general public can be very costly for the company and seriously affect its operations. Another reason for the rise in costs in the event of security incidents is changes in legislation around the world. Companies have to either adapt or risk both non-compliance and possible hacking.

In these circumstances, it becomes especially important to consider all the consequences and costs. Perhaps that is why more and more companies from different countries increase the share of information security in their IT budgets. In 2017, significantly more companies around the world admitted they were going to invest in cybersecurity regardless of the expected return on investment: 63%, up from 56% in 2016.

Most likely, due to the growing damage from cybersecurity incidents, those organizations that consider IT costs as investments in security and are ready to spend significant funds on them will be better prepared for possible troubles. What is the situation in your company?

How to justify the cost of information security?

Reprinted with kind permission OJSC InfoTeKS Internet Trust
The original text is located here.

Maturity levels of the company

The Gartner Group identifies 4 levels of company maturity in terms of information security (IS):

  • 0 level:
    • No one is involved in information security in the company, the company's management does not realize the importance of information security problems;
    • No funding available;
    • IB is implemented regular means operating systems, DBMS and applications (password protection, differentiation of access to resources and services).
  • 1st level:
    • IS is considered by the management as a purely "technical" problem, there is no single program (concept, policy) for the development of the information security system (ISMS) of the company;
    • Funding is within the overall IT budget;
    • IS is implemented by means of zero level + means Reserve copy, antivirus tools, firewalls, means of organizing VPN (traditional means of protection).
  • 2nd level:
    • IS is considered by the management as a complex of organizational and technical measures, there is an understanding of the importance of IS for production processes, there is a program for the development of the ISMS of the company approved by the management;
    • Information security is implemented by means of the first level + means of enhanced authentication, means of analyzing mail messages and web content, IDS (intrusion detection systems), security analysis tools, SSO (means of single authentication), PKI (infrastructure public keys) and organizational measures (internal and external audit, risk analysis, information security policy, regulations, procedures, regulations and guidelines).
  • Level 3:
    • IS is part of the corporate culture, appointed by CISA (senior information security officer);
    • Funding is provided under a separate budget;
    • IS is implemented by means of the second level + IS management systems, CSIRT (IS violation incident response team), SLA (service level agreement).

According to the Gartner Group (data are for 2001), the percentage of companies in relation to the described 4 levels is as follows:
0 level - 30%,
1st level - 55%,
2nd level - 10%,
3rd level - 5%.

The Gartner Group's 2005 outlook is as follows:
0 level - 20%,
1st level - 35%,
2nd level - 30%,
Level 3 - 15%.

Statistics show that the majority of companies (55%) in currently introduced the minimum required set of traditional technical means of protection (level 1).

When implementing various technologies and means of protection, questions often arise. What to implement first, intrusion detection system or PKI infrastructure? What will be more effective? Stephen Ross, director of Deloitte & Touche, proposes the following approach for assessing the effectiveness of individual security measures and means.

Based on the above graph, it can be seen that the most expensive and least effective are specialized tools (own or custom developments).

The most expensive, but at the same time, the most effective are the protection of the 4th category (level 2 and 3 according to the Gartner Group). To implement this category of funds, it is necessary to use the risk analysis procedure. Risk analysis in this case will make it possible to guarantee the adequacy of the implementation costs to the existing threats of IS breach.

The cheapest, but with a high level of efficiency, are organizational measures (internal and external audit, risk analysis, information security policy, business continuity plan, regulations, procedures, regulations and guidelines).

The introduction of additional means of protection (transition to levels 2 and 3) requires significant financial investments and, accordingly, justification. The absence of a unified program for the development of ISMS, approved and signed by the management, exacerbates the problem of justifying investments in safety.

Risk analysis

The results of risk analysis and statistics accumulated on incidents can serve as such a justification. Mechanisms for implementing risk analysis and accumulating statistics should be spelled out in the company's information security policy.

The risk analysis process consists of 6 sequential steps:

1. Identification and classification of objects of protection (company resources to be protected);

3. Building a model of the attacker;

4. Identification, classification and analysis of threats and vulnerabilities;

5. Risk assessment;

6. The choice of organizational measures and technical means of protection.

At the stage identification and classification of protected objects it is necessary to conduct an inventory of the company's resources in the following areas:

  • Informational resources(confidential and critical information of the company);
  • Software resources (OS, DBMS, critical applications, such as ERP);
  • Physical resources (servers, workstations, network and telecommunication equipment);
  • Service resources ( Email, www, etc.).

Categorization is to determine the level of confidentiality and criticality of the resource. Confidentiality refers to the level of secrecy of information that is stored, processed and transmitted by the resource. Criticality is understood as the degree of influence of the resource on the efficiency of the functioning of the company's production processes (for example, in the event of a downtime of telecommunication resources, the provider company may go bankrupt). By assigning certain qualitative values ​​to the confidentiality and criticality parameters, you can determine the level of importance of each resource in terms of its participation in the company's production processes.

To determine the importance of the company's resources in terms of information security, you can get the following table:

For example, files with information about the salary level of company employees have the value "strictly confidential" (confidentiality parameter) and the value "negligible" (criticality parameter). Substituting these values ​​in the table, you can get an integral indicator of the significance of this resource. Different variants of categorization methods are given in the international standard ISO TR 13335.

Building an attacker model is the process of classifying potential violators by the following parameters:

  • Attacker type (competitor, client, developer, company employee, etc.);
  • The position of the attacker in relation to the objects of protection (internal, external);
  • The level of knowledge about the objects of protection and the environment (high, medium, low);
  • The level of opportunities for access to protected objects (maximum, average, minimum);
  • Time of action (constantly, at certain time intervals);
  • Location (the intended location of the attacker during the attack).

By assigning qualitative values ​​to the listed parameters of the attacker model, it is possible to determine the attacker's potential (an integral characteristic of the attacker's capabilities to implement threats).

Identification, classification and analysis of threats and vulnerabilities allow you to determine the ways to implement attacks on protected objects. Vulnerabilities are properties of a resource or its environment that are used by an attacker to implement threats. The list of vulnerabilities of software resources can be found on the Internet.

Threats are classified according to the following criteria:

  • name of the threat;
  • attacker type;
  • means of implementation;
  • exploited vulnerabilities;
  • actions performed;
  • frequency of implementation.

The main parameter is the frequency of implementation of the threat. It depends on the values ​​of the parameters "attacker potential" and "resource security". The value of the "resource security" parameter is determined by expert assessments. When determining the value of the parameter, the subjective parameters of the attacker are taken into account: motivation for the implementation of a threat and statistics from attempts to implement threats of this type (if any). The result of the threat and vulnerability analysis stage is an assessment of the "frequency of implementation" parameter for each of the threats.

At the stage risk assessments the potential damage from threats to information security breaches for each resource or group of resources is determined.

The qualitative indicator of damage depends on two parameters:

  • The significance of the resource;
  • The frequency of the threat to this resource.

Based on the received damage assessments, adequate organizational measures and technical means of protection are reasonably selected.

Accumulation of incident statistics

The only vulnerability in the proposed methodology for assessing risk and, accordingly, justifying the need to introduce new or change existing protection technologies is the definition of the "frequency of threat realization" parameter. The only way to obtain objective values ​​for this parameter is to accumulate statistics on incidents. The accumulated statistics, for example, for a year will allow us to determine the number of threats (of a certain type) per resource (of a certain type). It is advisable to work on the accumulation of statistics within the framework of the incident handling procedure.