The 172 US critical infrastructure organizations surveyed in the study said that they currently spend $5.3 billion on cybersecurity. They estimated that they would have to spend $46.6 billion over the next 12 to 18 months to reach a level of security where they could stop 95% of cyberattacks.
To reach a more attainable level, that is, being able to stop 84% of cyberattacks, the companies estimated that they would have to double spending over the next 12 to 18 months.
The companies estimated that they are currently able to detect between 86% and 89% of cyberattacks, and able to prevent between 67% and 76% of those attacks.
“The consequences of a successful attack against critical infrastructure makes these cost increases look like chump change. It would put people into the Dark Ages”, commented Larry Ponemon, chairman of the Ponemon Institute.
Ponemon surveyed IT security managers at 124 companies in six industries and 48 public sector organizations for the report. The six industries were agriculture and food services, communications, energy, financial services, health care, and transportation.
“In order to reach a substantially more secure level, there might be other models that industry will have to pursue”, commented Afzal Bari, financial analyst with Bloomberg Government’s Technology & Telecommunications Group.
“Right now cybersecurity spending is not getting the results that are optimal”, he told Infosecurity.
Bari was asked whether the government would need to step in and make up the funding gap to significantly improve cybersecurity of critical infrastructure. He said that the report did not take a position on this issue, but he noted that industry expressed concern that customers would not be willing to absorb the increased costs for greater cybersecurity.
At the same time, the respondents said that an increase in spending during the next 12 to 18 months would allow them to cut in half the percentage of false alarms, saving money and improving security by focusing more resources on legitimate attacks.
The companies said they spend the largest share of their cybersecurity budgets on governance and control activities, which include employee security training and awareness, regulatory compliance, and reviewing network access logs.
Annual cybersecurity spending varied among industries, ranging from $16 million per company in the agriculture and food services industry to $67 million per company in the communications industry.