Cost of Cybersecurity & Cybercrime

Businesses and individual spent spent $188.1 billion on cybersecurity and risk management in 2023 — and that price tag is expected to climb to $215 by 2024. Cybercrime itself is even more costly: by some estimates, the total economic cost of cybercrime reached $8 trillion in 2023.

In this article, we’ll profile more key statistics on the cost of cybersecurity and cybercrime.

The Cost of Cybersecurity

Company Cybersecurity Cost

In total, companies spent an estimated $168.8 billion on cybersecurity in 2023. By 2024, organizations are expected to spend almost $192.2 billion, a nearly 14% increase.

Spending levels at individual companies do vary depending on the type of organization, including its industry and size.

Cybersecurity Spending by Industry

On average, companies dedicate 9.9% of their IT budgets to security spending. However, an organization’s industry plays a significant role in how much money is dedicated to security measures. Here’s a breakdown of the average percentage of annual IT budgets committed to security based on industry:

  • Technology: 13.3%
  • Healthcare: 13.3%
  • Business Services 13.2%
  • Consumer Goods and Services: 9.7%
  • Government: 9.6%
  • Financial Services: 9.6%
  • Utilities: 8.0%
  • Transportation: 6.6%
  • Manufacturing: 6.1%
  • Retail: 6.0%
  • Education: 5.9%

A report by Deloitte broke down cybersecurity spending per full-time equivalent (FTE) employee. Here is an overview of the average per FTE spending on security in select industries based on its findings:

  • Financial Utility: $4,375 per FTE
  • Service Provider: $3,226 per FTE
  • Retail: $2,688 per FTE
  • Consumer and Financial Services (Non-Banking): $2,348 per FTE
  • Insurance: $1,984 per FTE

Cybersecurity Spending by Company Size

Generally speaking, enterprise-level companies have larger security budgets than small to mid-sized businesses (SMBs). As a result, the bigger the organization, the more the company can typically dedicate to security spending. However, according to a survey by IANS Research, smaller companies may commit a higher percentage of their IT spending to security.

Here’s a breakdown of the average percentage of IT spending committed to security based on annual company revenue size:

  • $100 Million or Less: 17.2%
  • $101 Million to $500 Million: 10.4%
  • $501 Million to $1 Billion: 10.6%
  • $1.1 Billion to $5 Billion: 8.0%
  • $5.1 Billion to $10 Billion: 8.6%
  • $10.1 Billion to $25 Billion: 9.0%
  • $25+ Billion: 8.4%

The majority of the IANS Research survey respondents qualify as large companies or enterprises. For small-to-medium-sized businesses (SMBs) with far less revenue than the $100 million cutoff, their security spending is also typically a more significant portion of their overall IT budget. However, the amount spent may seem relatively small at a glance.

According to a report by Hiscox, companies with 10 to 49 employees spend approximately $225,000 on cybersecurity. For those with less than 10 employees, security spending is typically closer to $29,000. When examined as a budget percentage, among these SMBs, the percentage of their total IT budget spent on security is about 20%.

Consumer Cybersecurity Cost

On the consumer side, cybersecurity software spending hit $7.9 billion in 2023, and it’s expected to reach $8.4 billion in 2024. Most of that spending goes to antivirus software; these prices typically range from $27 to $150 annually, with higher-cost options usually covering more devices, offering premium features, or both.

The Cost of Cybercrime

According to a report by eSentire, a cybersecurity firm, the cost of cybercrime is expected to hit $10.5 trillion in 2025. That’s a 225% increase over the 2015 amount, which came in at a comparatively small $3 trillion.

The exact cost of cybercrime varies depending on the nature of the incident and the targeted individual or entity. With that in mind, here’s a breakdown of some of the costs of cybercrime.

Cost to Companies

Companies typically pay dearly after a cybersecurity incident. On average, a data breach costs companies $4.45 million per incident. For SMBs specifically, the average cost of a data breach is $3 million per incident, breaking down to an estimated $164 per affected record.

When it comes to ransomware, attackers extorted more than $449 million between January 1 and June 30, 2023. Getting an exact number on the per-company cost isn’t straightforward, as data on the subject can show dramatically different figures. For example, one study on mid-sized organizations by Sophos showed the average demanded ransomware payment was $1.54 million. However, research by Coveware had a Q2 2023 average of $740,144.

Ransom demands do vary depending on the attacking group and the targeted organization. Clop – a Russian ransomware group – is known for higher demands, asking for an average payment size of $1.7 million. After a Hive ransomware attack, MediaMarkt, an electronics retailer, initially faced a payment demand of $240 million.

After a ransomware attack, companies also face a variety of costs beyond the ransom itself. Data breach-related damages can also occur. Similarly, issues like downtime and harm to the company’s reputation can reduce revenues. There’s also the cost of manpower to address the incident, which can vary depending on the nature of the event and what’s required to right the ship.

Cost to Consumers

Based on data submitted to the Federal Bureau of Investigation’s Internet Crime Complaint Center, people cumulatively lost an estimated $10.3 billion to cybercrime in 2022. The highest recorded losses were related to investment scams, which cost victims more than $3.3 billion cumulatively. Based on the 30,529 reported victims, that breaks down to nearly $108,479 per incident.

For personal data breaches, the total cost was calculated at over $742 million, working out to about $12,614 per reported incident based on 58,859 listed victims. Identity theft led to more than $189 million in losses across 27,922 victims, resulting in an average per-incident loss of around $6,776.

Phishing was the most widely reported type of internet crime, with 300,497 victims. With the total loss to phishing calculated at approximately $52 million, it breaks down to about $173 per incident.

It’s critical to note that measuring the cost of cybercrime to everyday consumers is often challenging, primarily because not all incidents are reported. However, the figures above show how expensive cybercrime is to everyday people who fall victim, providing solid insights into how much consumers lose during an incident.

About the Author

Find Catherine on Firewall Times

Catherine Reed

Catherine Reed is a writer and researcher with experience writing about a wide variety of topics including personal finance, technology, and staffing.