Deciding cybersecurity spend: how much is enough?

As technology continues to advance, the threat of cyber-attacks becomes increasingly prevalent. Investing in robust cyber defence measures can help property agents protect their sensitive data and systems — but what proportion of an IT budget should be set aside?

Gallagher logo

Propertymark’s official insurance broking partner, Gallagher explores the factors that influence annual cyber defence spending and why it can be crucial to allocate sufficient resources.

Industry risks

The property sector can be particularly prone to cyber-attacks due to the client data stored. There are stringent regulatory requirements, which necessitate higher investments in cybersecurity. Additionally, businesses with a high-risk profile, such as those with a history of cyber incidents, may need to allocate more resources to cyber defence.

Existing IT infrastructure

The size and complexity of a business’s IT infrastructure can also play a significant role in determining cyber defence spend. Larger businesses with extensive networks and multiple locations can require more comprehensive security measures. Investing in advanced security solutions, such as firewalls and intrusion detection systems, can be crucial.

A constantly moving threat landscape

The evolving cyber threat landscape is another critical factor. Cybercriminals are constantly developing new techniques and exploiting vulnerabilities, making it essential to stay ahead of the curve. Investing in threat intelligence services, security assessments, and regular penetration testing helps identify weaknesses and enables proactive defence measures.

Compliance with data protection laws

Compliance with industry-specific regulations and legal requirements also drives cyber defence spend. There are various data protection laws to adhere to, such as the General Data Protection Regulation (GDPR) in the European Union or the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare sector. Failure to comply with these regulations can result in severe financial penalties and reputational damage. Therefore, resources to ensure necessary security standards are met should be allocated.

Investment in cybersecurity measures is increasing overall

According to the UK Government’s Cyber Security Breaches Survey 2024, many organisations have continued investing the same amount or more in cybersecurity over the last 12 months, despite the challenging economic conditions. The perceived uptick in the number of cyber-attacks and their increasing sophistication are amongst the reasons for this.

The survey shows that the deployment of cybersecurity controls, procedures and risk management has shown an upward trend among organisations in the last 12 months:

  • 83% use up-to-date malware protection (up from 76%)
  • 75% use network firewalls (up from 67%)
  • 17% carry out cybersecurity vulnerability audits (up from 15%)
  • 31% have business continuity plans that cover cybersecurity (up from 27%)
  • 43% are insured against cyber risks in some way (up from 37%)

How should organisations prioritise spending?

While every organisation operates in the same threat landscape, their specific vulnerabilities may differ, largely due to the different influences on spend mentioned above. It is, therefore, important to conduct a thorough risk assessment to identify these vulnerabilities and prioritise cybersecurity investments accordingly.

Once key risks are identified, these will inform the decisions to strengthen cyber defences including where investment may be required. For example, if gaps are identified in digital armour, sufficient budget should be allocated to cybersecurity measures such as vulnerability scanning and penetration testing.

Similarly, if the incident response and recovery capabilities no longer reflect today’s cyber landscape and the potential fallout from an attack or data breach. Then much of the investment for response planning should be directed. This can involve allocating funds for incident response training, incident management systems, and data recovery solutions to minimise downtime and ensure business continuity.

Separating an IT budget and cybersecurity budget

It could be beneficial when developing a cyber defence strategy to secure a separate budget for cybersecurity and cyber risk management. This can protect the budget and help ensure the appropriate investment level in cybersecurity.

Regardless of budget allocation, it should not be seen as a one-time investment or even a once-a-year tick box. It is vital to continuously update defences to stay ahead and treat cyber risk management as an ongoing commitment, requiring year-round consideration and resources.

Cyber risk management

Gallagher offers cyber risk management strategies for every business size and budget, from multinational corporations to SMEs. Recently launched, the Gallagher Cyber Defence Centre service is aimed at SMEs primarily, but Gallagher recognises that every organisation is unique. That’s why they are here to assist with determining which services can be used to help appropriately manage cyber risks.

To find out more about Gallagher’s Cyber Defence offerings, contact the Gallagher Propertymark team on 0800 2884921 or [email protected]

Gallagher logo
Gallagher: Insurance

Insurance broker offering professional indemnity, office insurance, directors’ and officers’ liability insurance and cyber liability insurance

Propertymark is an Introducer Appointed Representative of Arthur J. Gallagher Insurance Brokers Limited which is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 55 Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909.