Android. Operating system. Multimedia. Social networks. Tools. Codecs. Graphics
Are you here: » »

Corporate security costs of the company statistics. Information Security: A Cost Source or a Strategic Investment? Security costs are on the rise

How to justify the costs of information security?

Reprinted with kind permission. OJSC InfoTeKS Internet Trust
The original text is located here.

Maturity levels of the company

The Gartner Group identifies 4 levels of company maturity in terms of information security (IS):

  • 0 level:
    • No one is involved in information security in the company, the management of the company does not realize the importance of information security problems;
    • No funding available;
    • IS is implemented by standard means operating systems, DBMS and applications (password protection, differentiation of access to resources and services).
  • 1st level:
    • IS is considered by the management as a purely "technical" problem, there is no single program (concept, policy) for the development of the information security system (ISS) of the company;
    • Funding is within the overall IT budget;
    • IS is implemented by means of zero level + means Reserve copy, antivirus tools, firewalls, VPN organization tools (traditional protection tools).
  • 2nd level:
    • IS is considered by the management as a complex of organizational and technical measures, there is an understanding of the importance of IS for production processes, there is a program for the development of ISIB of the company approved by the management;
    • IS is implemented by means of the first level + means of enhanced authentication, means of analysis mail messages and web content, IDS (intrusion detection systems), security analysis tools, SSO (single authentication tools), PKI (public key infrastructure) and organizational measures (internal and external audit, risk analysis, information security policy, regulations, procedures, regulations and manuals).
  • Level 3:
    • IS is part of the corporate culture, appointed by CISA (senior information security officer);
    • Funding is provided under a separate budget;
    • IS is implemented by means of the second level + IS management systems, CSIRT (IS violation response team), SLA (service level agreement).

According to the Gartner Group (data are for 2001), the percentage of companies in relation to the described 4 levels is as follows:
0 level - 30%,
1st level - 55%,
2nd level - 10%,
3rd level - 5%.

The Gartner Group's 2005 outlook is as follows:
0 level - 20%,
1st level - 35%,
2nd level - 30%,
Level 3 - 15%.

Statistics show that the majority of companies (55%) have now implemented the minimum required set of traditional technical means of protection (level 1).

When implementing various technologies and means of protection, questions often arise. What to implement first, intrusion detection system or PKI infrastructure? What will be more effective? Stephen Ross, director of Deloitte & Touche, proposes the following approach for assessing the effectiveness of individual security measures and means.

Based on the above graph, it can be seen that the most expensive and least effective are specialized tools (own or custom developments).

The most expensive, but at the same time, the most effective are the protection of the 4th category (level 2 and 3 according to the Gartner Group). To implement this category of funds, it is necessary to use the risk analysis procedure. Risk analysis in this case will make it possible to guarantee the adequacy of the implementation costs to the existing threats of IS breach.

The cheapest, but having a high level of efficiency, are organizational measures (internal and external audit, risk analysis, information security policy, business continuity plan, regulations, procedures, regulations and guidelines).

The introduction of additional means of protection (transition to levels 2 and 3) requires significant financial investments and, accordingly, justification. The absence of a unified program for the development of ISMS, approved and signed by the management, exacerbates the problem of justifying investments in safety.

Risk analysis

The results of risk analysis and statistics accumulated on incidents can serve as such justification. Mechanisms for implementing risk analysis and accumulating statistics should be spelled out in the company's information security policy.

The risk analysis process consists of 6 sequential steps:

1. Identification and classification of objects of protection (company resources to be protected);

3. Building a model of the attacker;

4. Identification, classification and analysis of threats and vulnerabilities;

5. Risk assessment;

6. The choice of organizational measures and technical means of protection.

At the stage identification and classification of protected objects it is necessary to conduct an inventory of the company's resources in the following areas:

  • Information resources (confidential and critical information of the company);
  • Software resources (OS, DBMS, critical applications, such as ERP);
  • Physical resources (servers, workstations, network and telecommunication equipment);
  • Service resources (email, www, etc.).

Categorization is to determine the level of confidentiality and criticality of the resource. Confidentiality refers to the level of secrecy of information that is stored, processed and transmitted by the resource. Criticality is understood as the degree of influence of the resource on the efficiency of the functioning of the company's production processes (for example, in the event of a downtime of telecommunication resources, the provider company may go bankrupt). By assigning certain qualitative values ​​to the confidentiality and criticality parameters, you can determine the level of importance of each resource in terms of its participation in the company's production processes.

To determine the significance of the company's resources from the point of view of information security, the following table can be obtained:

For example, files with information about the salary level of company employees have the value "strictly confidential" (confidentiality parameter) and the value "negligible" (criticality parameter). Substituting these values ​​into the table, you can get an integral indicator of the significance of this resource. Different variants of categorization methods are given in the international standard ISO TR 13335.

Building an attacker model is the process of classifying potential violators according to the following parameters:

  • Attacker type (competitor, client, developer, company employee, etc.);
  • The position of the attacker in relation to the objects of protection (internal, external);
  • The level of knowledge about the objects of protection and the environment (high, medium, low);
  • The level of opportunities for access to protected objects (maximum, average, minimum);
  • Time of action (constantly, at certain time intervals);
  • Location (assumed location of the attacker during the attack).

By assigning qualitative values ​​to the listed parameters of the attacker model, it is possible to determine the attacker's potential (an integral characteristic of the attacker's capabilities to implement threats).

Identification, classification and analysis of threats and vulnerabilities allow you to determine the ways to implement attacks on objects of protection. Vulnerabilities are properties of a resource or its environment that are used by an attacker to implement threats. The list of vulnerabilities of software resources can be found on the Internet.

Threats are classified according to the following criteria:

  • name of the threat;
  • attacker type;
  • means of implementation;
  • exploited vulnerabilities;
  • actions performed;
  • frequency of implementation.

The main parameter is the frequency of implementation of the threat. It depends on the values ​​of the parameters "attacker potential" and "resource security". The value of the "resource security" parameter is determined by expert assessments. When determining the value of the parameter, the subjective parameters of the attacker are taken into account: motivation for the implementation of the threat and statistics from attempts to implement threats of this type (if any). The result of the threat and vulnerability analysis stage is an assessment of the "frequency of implementation" parameter for each of the threats.

At the stage risk assessments the potential damage from threats of information security breaches for each resource or group of resources is determined.

The qualitative indicator of damage depends on two parameters:

  • The significance of the resource;
  • The frequency of the threat to this resource.

Based on the obtained damage assessments, adequate organizational measures and technical means of protection are reasonably selected.

Accumulation of incident statistics

The only vulnerability in the proposed methodology for assessing risk and, accordingly, justifying the need to introduce new or change existing protection technologies is the definition of the "frequency of threat realization" parameter. The only way to obtain objective values ​​for this parameter is to accumulate statistics on incidents. The accumulated statistics, for example, for a year will allow us to determine the number of threats (of a certain type) per resource (of a certain type). It is advisable to work on the accumulation of statistics within the framework of the incident handling procedure.

They invest in a variety of computer security technologies, from platforms for paying bonuses for discovering software vulnerabilities to diagnostics and automated testing of programs. But most of all, they are attracted by authentication and identity management technologies - about $ 900 million were invested in startups dealing with these technologies at the end of 2019.

Investment in cybersecurity education startups reached $ 418 million in 2019, driven largely by KnowBe4, which raised $ 300 million. The startup offers a phishing simulation platform and a range of training programs.

In 2019, about $ 412 million were received by companies involved in the security of the Internet of Things. SentinelOne is the leader in this category in terms of investment volume, which in 2019 received $ 120 million for the development of endpoint protection technologies.

At the same time, Metacurity analysts provide other data characterizing the situation in the venture capital market in the information security sector. In 2019, the volume of investments here reached $ 6.57 billion, having increased from $ 3.88 billion in 2018. The number of transactions also increased - from 133 to 219. At the same time, the average volume of investments per transaction remained practically unchanged and amounted to 29.2 million at the end of 2019, according to Metacurity.

2018

Growth by 9% to $ 37 billion - Canalys

In 2018, the sales of equipment, software and services intended for information security (IS) reached $ 37 billion, an increase of 9% compared to a year ago ($ 34 billion). Such data were released on March 28, 2019 by Canalys analysts.

While many companies prioritize protecting their assets, data, endpoints, networks, employees and customers, they said, cybersecurity accounted for only 2% of total IT spending in 2018. However, more and more new threats appear, they become more complex and more frequent, which provides information security solutions manufacturers with new opportunities for growth. Total cybersecurity spending is expected to exceed $ 42 billion in 2020.

Canalys analyst Matthew Ball believes that the transition to new models of information security implementation will accelerate. Customers are changing the nature of their IT budgets with public cloud services and flexible subscription-based services.

About 82% of information security systems deployment projects in 2018 were associated with the use of traditional hardware and software. In the remaining 18% of cases, virtualization, public clouds and information security services were used.

By 2020, the share of traditional models of deploying information security systems will drop to 70%, as new solutions are gaining popularity on the market.

Suppliers will need to create a wide range of business models to support this transition as different products are suitable for different types deployments. The main challenge for many today is to make new models more focused on partner channels and integrate them with existing ones. affiliate programs, especially with customer transactions through cloud platforms. Some cloud marketplaces have already reacted to this, allowing partners to offer customized offers and prices directly to customers, tracking registrations of deals and discounts, Matthew Ball said in a post dated March 29, 2019.

According to Canalys analyst Ketaki Borade, leading cyber defense technology vendors have introduced new distribution models that involve companies moving to a subscription scheme and increasing operations in the cloud infrastructure.


The cybersecurity market remained highly dynamic, with record transaction and volume activity in response to growing regulatory and technical requirements and the continued pervasive risk of data breaches, says Eric McAlpine, co-founder and managing partner of Momentum Cyber. “We believe this momentum will continue to push the sector into new territory as it strives to counter emerging threats and consolidates in the face of supplier fatigue and growing skill shortages.

2017

Cybersecurity expenses exceeded $ 100 billion

In 2017, global spending on information security (IS) - products and services - reached $ 101.5 billion, research company Gartner said in mid-August 2018. At the end of 2017, experts estimated this market at $ 89.13 billion. What is the reason for the significant increase in the assessment is not reported.

CIOs are committed to helping their organizations securely leverage technology platforms to become more competitive and drive business growth, ”said Siddharth Deshpande, research director at Gartner. “The continuing talent shortage and regulatory changes such as the General Data Protection Regulation (GDPR) in Europe are driving the continued growth of the cybersecurity market.

Experts believe that one of the key factors driving higher costs of information protection is the introduction of new methods of detecting and responding to threats - they became the highest priority for the security of organizations in 2018.

According to Gartner estimates, in 2017, organizations' spending on cyber defense services globally exceeded $ 52.3 billion, and in 2018 these costs will rise to $ 58.9 billion.

In 2017, companies spent $ 2.4 billion on application protection, $ 2.6 billion on data protection, and cloud services- $ 185 million

Annual sales of solutions for management of identity and access (Identity And Access Management) were equal to 8.8 billion. Implementation of means of protection of IT infrastructure increased to $ 12.6 billion.

The study also reported spending $ 10.9 billion on equipment used to provide network security... Their manufacturers earned $ 3.9 billion from information security risk management systems.

Consumer cybersecurity spending for 2017 was estimated by analysts at $ 5.9 billion, according to a Gartner study.

Gartner estimated the market size at $ 89.13 billion

In December 2017, it became known that the global costs of companies on information security (IS) in 2017 will amount to $ 89.13 billion.According to Gartner, corporate costs on cybersecurity will exceed $ 82.2 billion in 2016 by almost $ 7 billion.

Experts consider cybersecurity services to be the largest expense item: in 2017, companies will allocate over $ 53 billion for these purposes against $ 48.8 billion in 2016. The second largest segment of the information security market is solutions for protecting infrastructure, the costs of which in 2017 will amount to $ 16.2 billion instead of $ 15.2 billion a year ago. Equipment for network security - in third place ($ 10.93 billion).

The structure of information security costs also includes consumer software for information security and an identity and access management system (Identity and Access Management, IAM). Costs in these areas in 2017 at Gartner are estimated at $ 4.64 billion and $ 4.3 billion, while in 2016 the figures were at $ 4.57 billion and $ 3.9 billion, respectively.

Analysts expect a further rise in the information security market: in 2018, organizations will increase spending on cyber defense by another 8% and allocate a total of $ 96.3 billion for these purposes. Among the growth factors, experts listed the changing regulation in the information security sector, awareness of new threats and the pivot of companies towards a digital business strategy.

In general, the cost of cybersecurity is largely due to the reaction of companies to cybersecurity incidents, because the number of high-profile cyberattacks and information leaks from which organizations are suffering is growing around the world, says Ruggero Contu, research director at Gartner.

The analyst's words are also confirmed by the data obtained by Gartner in 2016 in a survey of 512 organizations from eight countries of the world: Australia, Canada, France, Germany, India, Singapore and the United States.

53% of respondents named cybersecurity risks as the main driving force behind the rise in cybersecurity spending. Of these, the highest percentage of those surveyed said that cyberattack threats are the most influential in making decisions about information security spending.

Gartner's outlook for 2018 foresees an increase in spending across all major areas. Thus, about $ 57.7 billion (+ $ 4.65 billion) will be spent on cyber protection services, about $ 17.5 billion (+ $ 1.25 billion) on infrastructure security, and $ 11.67 billion on network protection equipment (+ $ 735 million), consumer software - $ 4.74 billion (+ $ 109 million) and IAM systems - $ 4.69 billion (+ $ 416 million).

Analysts also believe that by 2020, more than 60% of organizations in the world will invest simultaneously in several data protection tools, including information loss prevention, encryption and auditing. As of the end of 2017, the share of companies purchasing such solutions was estimated at 35%.

Another significant item of corporate spending on information security will be the involvement of third-party specialists. It is expected that against the background of a shortage of personnel in the field of cybersecurity, the growing technical complexity of information security systems and an increase in cyber threats, companies' costs for information security outsourcing in 2018 will increase by 11% and amount to $ 18.5 billion.

According to Gartner's calculations, by 2019, corporate spending on the services of third-party information security experts will account for 75% of the total cost of software and equipment to ensure cybersecurity, while in 2016 this ratio was at the level of 63%.

IDC predicts $ 82 billion market size

Two-thirds of the costs will fall on companies that are large and very big business... By 2019, according to IDC analysts, the size of the expenses of corporations with more than 1,000 employees will surpass the $ 50 billion mark.

2016: Market size is $ 73.7 billion, growth is 2 times more than the IT market

In October 2016, the analytical company IDC presented a summary of the research of the global information security market. Its growth is expected to be widowed higher than that of the IT market.

IDC estimates that global sales of equipment, software and services for cyber defense will reach about $ 73.7 billion in 2016, and in 2020 the figure will exceed $ 100 billion, amounting to $ 101.6 billion. In the period from 2016 to 2020, the information security market -technology will grow at an average rate of 8.3% annually, which is double the expected growth rate of the IT industry.


The largest cybersecurity expenses ($ 8.6 billion) at the end of 2016 are expected in banks. The second, third and fourth places in terms of such investments will be occupied by discrete manufacturing enterprises, government agencies and continuous production enterprises, respectively, which will account for about 37% of expenses.

Leadership in the dynamics of increasing cybersecurity investments is given by analysts to healthcare (in 2016-2020, an average annual growth of 10.3% is expected). The costs of cyber defense in the telecom, housing sector, government agencies and the investment and securities market will rise by about 9% per year.

Researchers call the largest cybersecurity market the American one, whose volume in 2016 will reach $ 31.5 billion. The top three will also include Western Europe and the Asia-Pacific region (excluding Japan). There is no information on the Russian market in the short version of the IDC survey.

Dmitry Gvozdev, General Director of the Russian company Monitor Security, predicts an increase in the share of services in total Russian security costs from 30-35% to 40-45%, and also predicts the development of the client structure of the market - from the total domination of the state, financial and energy sectors towards medium-sized enterprises from a wider range of industries.

One of the trends should be the development of the share of domestic software products in connection with the issues of import substitution and the foreign policy situation. However, to what extent this will be reflected in financial indicators will largely depend on the ruble exchange rate and pricing policy foreign vendors, who still occupy at least half of the domestic market of software solutions and up to two-thirds in the equipment segment. The final annual financial result of the total can be tied to external economic factors. Russian market IS solutions, - said Gvozdev in a conversation with TAdviser.

2015

MARKET SIZE

FEDERAL SPENDING

CYBER CRIME

COST-PER-BREACH

FINANCIAL SERVICES

International

SECURITY ANALYTICS

2013: The EMEA market grew to $ 2.5 billion.

The size of the market for security products in the EMEA region (Europe, the Middle East and Africa) grew by 2.4% compared to 2012 and amounted to $ 2.5 billion. Analysts called multifunctional software and hardware complexes for protection computer networks- UTM solutions (Unified threat management). At the same time, IDC predicted that the market for technical means of information security by 2018 will reach $ 4.2 billion in value terms with an average annual growth of 5.4%.

At the end of 2013, Check Point took the leading position among suppliers in terms of revenue from sales of information security technology in the EMEA region. According to IDC, the vendor's revenue in this segment for 2013 increased by 3.8% and amounted to $ 374.64 million, which corresponds to a market share of 19.3%.

2012: PAC forecast: The information security market will grow by 8% per year

The global information security market will grow by 8% annually until 2016, when it can reach 36 billion euros, the study said.

There are two main approaches to justifying the cost of information security.

Scientific approach... To do this, it is necessary to involve the management of the company (or its owner) in assessing the cost information resources, determining the assessment of potential damage from violations in the field of information protection.

1. If the cost of information is low, there are no significant threats to the company's information assets, and the potential damage is minimal, ensuring information security requires less funding.

2. If the information has a certain value, the threats and potential damage are significant and identified, then the question arises of budgeting the costs of the information security subsystem. In this case, it is necessary to build corporate system information protection.

A hands-on approach consists in determining the option of the real cost of a corporate information security system based on similar systems in other areas. Experts-practitioners in the field of information security believe that the cost of an information security system should be approximately 10-20% of the cost of a corporate information system, depending on the specific requirements for the information security regime.

Generally accepted requirements for ensuring the information security regime "best practice" (based on practical experience), formalized in a number of standards, for example ISO 17799, are implemented in practice when developing specific methods for assessing the effectiveness of an information security system.

Application modern methods assessing the costs of information security allows you to calculate the entire expenditure part of the organization's information assets, including direct and indirect costs of hardware software, organizational measures, training and advanced training of employees, reorganization, business restructuring, etc.

They are necessary to prove the cost-effectiveness of existing corporate security systems and allow information security managers to justify the information security budget, as well as to prove the effectiveness of the employees of the corresponding service. Cost estimation methods used by foreign companies allow:

Obtain adequate information about the security level of a distributed computing environment and the total cost of ownership of a corporate information security system.

Compare the information security divisions of an organization both with each other and with similar divisions of other organizations in the industry.

Optimize your organization's information security investments.


One of the most well-known cost estimation techniques in relation to an information security system is the total cost of ownership (TCO) of the Gartner Group The CER indicator is the sum of direct and indirect costs of organizing (reorganizing), operating and maintaining the corporate information security system during the year. It is used practically at all major stages of the life cycle of a corporate information security system and makes it possible to objectively and independently substantiate the economic feasibility of introducing and using specific organizational and technical measures and information security tools. For the objectivity of the decision, it is also necessary to additionally take into account the state of the external and internal environment of the enterprise, for example, indicators of the technological, personnel and financial development of the enterprise.

Comparison of a certain TCO indicator with similar TCO indicators in the industry (with similar companies) makes it possible to objectively and independently substantiate the organization's information security costs. Indeed, it often turns out to be quite difficult or even almost impossible to assess the direct economic effect of these costs.

The total cost of ownership for an information security system generally consists of the cost:

Design work,

Procurement and settings of software and hardware protection tools, including the following main groups: firewalls, cryptography tools, antiviruses and AAA (authentication, authorization and administration tools),

The cost of ensuring physical security,

Personnel training,

System management and support (security administration),

Information security audit, - periodic modernization of the information security system.

However, direct costs include both capital components of costs (associated with fixed assets or "property") and labor, which are accounted for in the categories of operations and administration. This also includes the cost of services for remote users, etc., associated with supporting the activities of the organization.

In turn, indirect costs reflect the impact of the corporate information system and information security subsystem on employees of the organization through such measurable indicators as downtime and "freezing" of the corporate information security system and the information system as a whole, the cost of operations and support (not related to direct costs ). Very often, indirect costs play a significant role, since they are usually not initially reflected in the information security budget, but are identified in a cost analysis later.

The calculation of the organization's TCO indicators is carried out in the following areas.

Components of the corporate information system(including the information security system) and informational activities of the organization (servers, client computers, peripherals, network devices).

Expenses for hardware and software information protection : Consumables and depreciation costs for servers, client computers (desktop and mobile computers), peripherals and network components.

Information security organization costs: maintenance of the information security system, standard means of protection of peripheral devices, servers, network devices, planning and management of information security processes, development of a security concept and policy, and others.

Information management costs stems: direct costs of personnel, cost of work and outsourcing, made by the organization as a whole or by the service for implementation technical support and operations to maintain infrastructure for users.

Administrative expenses: direct costs of personnel, maintenance of activities and costs of internal / external suppliers (vendors) to support operations, including management, financing, acquisition and training of information systems.

End user transaction costs: costs of self-support for end users, formal training for end users, irregular (unofficial) training, independent application development, local file system support.

Downtime costs: Annual loss of end-user productivity from planned and unplanned outages of network resources, including client computers, shared servers, printers, application programs, communications resources and communications software.

Purpose of the study: to analyze and determine the main trends in the Russian information security market
Used the data of Rosstat (statistical reporting forms No. 3-Inform, P-3, P-4), Financial statements of enterprises, etc.

Use of information and communication technologies and information security tools by organizations

  • For the preparation of of this section aggregated, geographically separate divisions and representative offices were used (Form 3-Inform "Information on the use of information and communication technologies and the production of computers, software and services in these areas".

The period 2012-2016 has been analyzed. The data do not claim to be complete (since they are collected for a limited number of enterprises), but, in our opinion, can be used to assess trends. The number of responding enterprises for the period under review ranged from 200 to 210 thousand. That is, the sample is fairly stable and includes the most likely consumers (large and medium-sized enterprises), which account for the bulk of sales.

Availability of personal computers in organizations

According to the statistical reporting form 3-Inform, in 2016 in the Russian organizations that provided information on this form, there were about 12.4 million units personal computers(PC). PC, in this case, means desktop and laptop computers, this concept does not include mobile Cell Phones and pocket computers.

Over the past 5 years, the number of PC units in organizations, in Russia as a whole, has grown by 14.9%. The most equipped federal district is the Central Federal District, it accounts for 30.2% of PCs in companies. The undisputed leader in this indicator is the city of Moscow; according to data for 2016, Moscow companies have about 1.8 million PCs. The lowest value of the indicator was noted in the North Caucasus Federal District, in the organizations of the district there are only about 300 thousand PC units, the smallest number in the Republic of Ingushetia - 5.45 thousand units.

Rice. 1. Number of personal computers in organizations, Russia, mln.

Information and communication technology spending by organizations

In the period 2014-2015. Due to the unfavorable economic environment, Russian companies were forced to minimize their costs, including the costs of information and communication technologies. In 2014, the cost reduction for the ICT sector was 5.7%, but already by the end of 2015, there was a slight positive trend. In 2016 costs Russian companies for information and communication technologies amounted to 1.25 trillion. rubles, exceeding the indicator of the pre-crisis 2013 by 0.3%.

The main part of the costs falls on companies located in Moscow - over 590 billion rubles, or 47.2% of the total. The largest volumes of expenses of organizations on information and communication technologies in 2016 were recorded in: Moscow region - 76.6 billion rubles, St. Petersburg - 74.4 billion rubles, Tyumen region - 56.0 billion rubles, the Republic of Tatarstan - 24.7 billion rubles, Nizhny Novgorod Region- 21.4 billion rubles. The lowest expenditures were recorded in the Republic of Ingushetia - 220.3 million rubles.

Rice. 2. The volume of companies' expenditures on information and communication technologies, Russia, billion rubles.

Use of information protection means by organizations

Recently, one can note a significant increase in the number of companies using information security protection tools. The annual growth rates of their number are quite stable (with the exception of 2014), and amount to about 11-19% per year.

According to official data from Rosstat, The most demanded means of protection at present are technical means of user authentication (tokens, USB keys, smart cards). Of more than 157 thousand companies, 127 thousand companies (81%) indicated the use of these particular means as information protection.

Rice. 3. Distribution of organizations by the use of information security tools, in 2016, Russia,%.

According to official statistics, in 2016, 161,421 companies used the global Internet for commercial purposes. Among organizations that use the Internet for commercial purposes and have indicated the use of information security tools, the electronic digital signature is the most popular. More than 146 thousand companies, or 91% of the total, indicated this tool as a means of protection. According to the use of information security tools, the companies were distributed as follows:

    • Means of electronic digital signature- 146,887 companies;
    • Regularly updated antivirus software- 143,095 companies;
    • Software or hardware to prevent unauthorized access malware from global information or local computer networks(Firewall) - 101,373 companies;
    • Spam filter - 86,292 companies;
    • Encryption tools - 86 074 companies;
    • Computer or network intrusion detection systems - 66,745 companies;
    • Software tools for automation of security analysis and control processes computer systems- 54 409 companies.

Rice. 4. Distribution of companies using the Internet for commercial purposes, by means of protecting information transmitted over global networks, in 2016, Russia,%.

In the period 2012-2016, the number of companies using the Internet for commercial purposes increased by 34.9%. In 2016, 155,028 companies used the Internet to communicate with suppliers and 110,421 companies to communicate with consumers. Of the companies using the Internet to communicate with suppliers, the purpose of use was indicated:

  • obtaining information about the necessary goods (works, services) and their suppliers - 138,224 companies;
  • providing information about the needs of the organization in goods (works, services) - 103 977 companies;
  • placing orders for goods (works, services) necessary for organizations (excluding orders sent by e-mail) - 95 207 companies;
  • payment for the supplied goods (works, services) - 89,279;
  • receipt of electronic products - 62,940 companies.

Of the total number of companies using the Internet to communicate with consumers, the purpose of use indicated:

  • provision of information about the organization, its goods (works, services) - 101,059 companies;
  • (works, services) (excluding orders sent by e-mail) - 44 193 companies;
  • electronic settlements with consumers - 51,210 companies;
  • distribution of electronic products - 12,566 companies;
  • after-sales service (service) - 13 580 companies.

The volume and dynamics of the budgets of federal executive authorities for information technology in 2016-2017

According to the Federal Treasury, the total amount of limits of budgetary obligations for 2017, brought to the attention of the federal executive authorities (hereinafter the federal executive body) according to the expenditure type code 242 "Purchase of goods, works, services in the field of information and communication technologies" in terms of information that does not constitute state secret, as of August 1, 2017 amounted to 115.2 billion rubles, which is about 5.1% higher than the total volume of budgets for information technology of federal executive authorities in 2016 (109.6 billion rubles, according to the Ministry of Telecom and Mass Communications). Thus, with the continued growth of the total volume of IT budgets of federal departments from year to year, the growth rate decreased (in 2016, the total volume of IT budgets increased by 8.3% compared to 2015). Wherein there is an ever-increasing stratification of "rich" and "poor" in terms of spending on information and communication technology departments. The undisputed leader not only in terms of the size of the budget, but also in terms of the level of achievements in the field of IT is the Federal Tax Service. Its ICT budget this year is more than 17.6 billion rubles, which is more than 15% of the budget of all federal executive authorities. The total share of the top five (FTS, Pension Fund, Treasury, Ministry of Internal Affairs, Ministry of Telecom and Mass Communications) - more than 53%.

Rice. 5. Structure of budget expenditures for the purchase of goods, works and services in the field of information and communication technologies in the context of federal executive bodies in 2017,%

Legislative regulation in the field of procurement of software for state and municipal needs

Since January 1, 2016, all state and municipal bodies, state corporations Rosatom and Roskosmos, governing bodies of state off-budget funds, as well as state and budgetary institutions carrying out purchases in accordance with the requirements of Federal Law No. 44 of April 5, 2013 -FZ "On the contractual system in the field of procurement of goods, works, services to meet state and municipal needs" are obliged to comply with the ban on the admission of software originating from foreign countries for the purpose of making purchases to meet state and municipal needs. The ban was introduced by the Decree of the Government of the Russian Federation of November 16, 2015 No. 1236 "On the establishment of a ban on the admission of software originating from foreign countries for the purpose of making purchases to meet state and municipal needs." When purchasing software, the above customers must explicitly indicate the prohibition to purchase imported software in the purchase notice. The ban applies to purchases of software for electronic computing machines and databases implemented regardless of the type of contract on a tangible medium and (or) in in electronic format through communication channels, as well as the exclusive rights to such software and the rights to use such software.

There are a few exceptions when customers are allowed to purchase imported software.

  • purchases of software and (or) rights to it by diplomatic missions and consular offices of the Russian Federation, trade missions of the Russian Federation with international organizations to ensure their activities on the territory of a foreign state;
  • procurement of software and (or) rights to it, information about which and (or) the procurement of which constitutes a state secret.

In all other cases, the customer, prior to purchasing software, will need to work with a unified register of Russian programs for electronic computers and databases and a classifier of programs for electronic computers and databases.
The Ministry of Telecom and Mass Communications of Russia is engaged in the formation and maintenance of the register as an authorized federal executive body.
As of the end of August 2017, the register contains 343 software products belonging to the class of "information security tools" of 98 Russian development companies. Among them are software products of such major Russian developers as:

  • OJSC Information Technologies and Communication Systems (Infotecs) - 37 software products;
  • AO Kaspersky Lab - 25 software products;
  • Security Code LLC - 19 software products;
  • Crypto-Pro LLC - 18 software products;
  • Doctor WEB LLC - 12 software products;
  • LLC "S-Terra CSP" - 12 software products;
  • CJSC "Aladdin R.D." - 8 software products;
  • Infovatch JSC - 6 software products.

Analysis of the activities of the largest players in the field of information security

  • As the main information for the analysis of the activities of the largest players in the information security market, for the preparation of this study, we used information on public procurement in the field of information and communication activities and, in particular, information security.

To analyze trends, we selected 18 companies that are among the leaders in the information security market and are actively involved in government procurement. The list includes both the developers of software and hardware and software protection systems, and the largest system integrators. The total revenue of these companies in 2016 amounted to 162.3 billion rubles, exceeding the indicator of 2015 by 8.7%.
Below is a list of companies selected for the study.

Tab. 1. Companies selected for research

Name INN Type of activity (OKVED 2014)
1 I-Teco, JSC 7736227885 Activities related to the use of computers and information technologies, other (62.09)
2 Croc Incorporated, JSC 7701004101
3 "Informzashita", CJSC NIP 7702148410 Research and development on social sciences and humanities (72.20)
4 Softline Trade JSC 7736227885
5 Technoserv AS, LLC 7722286471 Wholesale of other machinery and equipment (46.69)
6 Elvis-plus, JSC 7735003794
7 Asteros, JSC 7721163646 Wholesale of computers, computer peripherals and software (46.51
8 "Production company Aquarius", LLC 7701256405
9 Lanit, JSC 7727004113 Wholesale of other office machinery and equipment (46.66)
10 Jet Infosystems ", JSC 7729058675 Wholesale of computers, computer peripherals and software (46.51)
11 "Dialogue Science" JSC 7701102564 Computer software development (62.01)
12 "Factor-TS", LLC 7716032944 Manufacture of computers and peripheral equipment (26.20)
13 "InfoTeKS", OJSC 7710013769 Computer software development (62.01)
14 "Ural Center for Security Systems", LLC 6672235068 Activities in the field of architecture, engineering research and the provision of technical advice in these areas (71.1)
15 "ICEl-KPO VS", JSC 1660014361 Computer software development (62.01)
16 NVision Group, JSC 7703282175 Wholesale trade, non-specialized (46.90)
17 "Confident-integration", LLC 7811512250 Data processing, hosting and related activities (63.11)
18 "Kaluga astral", JSC 4029017981 Advisory activities and work in the field of computer technology (62.02

As of the end of October 2017, companies from the sample presented 1,034 contracts with government bodies in the amount of 24.6 billion rubles. I-Teco is the leader in this list in terms of the volume of concluded contracts - 74 contracts worth 7.5 billion rubles.
Over the past years, with the exception of the crisis year 2014, one can note a constant increase in the total volume of contracts for the selected companies. The most significant dynamics falls on the period 2015-2016. So, in 2015, the volume of contracts increased by more than 3.5 times, in 2016 - by 1.5 times. According to the available data on the contract activities of companies for the period January-October 2017, it can be assumed that in 2017 the total volume of contracts with government agencies will be about 37-38 billion rubles, that is, a decrease of around 40% is expected.

2018-08-21T12: 03: 34 + 00: 00

Large commercial companies spend about 1% of their annual revenue on ensuring the physical security of their businesses. Enterprise security is as much a resource as technologies and means of production. But when it comes to digital protection of data and services, it becomes difficult to calculate the financial risks and necessary costs. We tell you how much money from the IT budget it is reasonable to allocate for cybersecurity, is there a minimum set of tools that can be dispensed with.

Security costs are on the rise

Commercial organizations around the world, according to report Gartner, spent about $ 87 billion on cybersecurity needs in 2017, including software, specialized services and hardware. This is 7% more than in 2016. This year, the figure is expected to reach 93 billion, and next year it will cross the 100 mark.

According to experts, the market for information security services in Russia is about 55-60 billion rubles (about 900 thousand dollars). 2/3 of it is closed by government orders. In the corporate sector, the share of such costs strongly depends on the form of the enterprise, geography and field of activity.

Domestic banks and financial structures on average invest in their cybersecurity 300 million rubles a year, industrialists - up to 50 million, network companies (retail) - from 10 to 50 million.

But the growth figures for the Russian cybersecurity market for several years now are 1.5-2 times higher than on a global scale. In 2017, the growth was 15% (in terms of customers' money) in relation to 2016. At the end of 2018, it may turn out to be even more impressive.

The high growth rates are due to the general revival of the market and the sharply increased attention of organizations to the real security of their IT infrastructure and the safety of data. The costs of building an information protection system are now viewed as an investment, they are planned in advance, and not just taken on a leftover basis.

Positive Technologiessingles out three drivers of growth:

  1. High-profile incidents of the last 1.5-2 years have led to the fact that today only the lazy does not understand the role of information security for the financial stability of an enterprise. One in five top executives takes an interest in practical security in the context of their business.

The past year has been instructive for businesses that ignore the elementary ... The lack of up-to-date updates and the habit of working without paying attention to vulnerabilities led to the shutdown of the Renault factories in France, Honda and Nissan in Japan; banks, energy, telecommunications companies were affected. Maersk, for example, cost $ 300 million at a time.

  1. The ransomware epidemics WannaCry, NotPetya, Bad Rabbit have taught domestic companies that installing antivirus and firewalls is not enough to feel safe. You need a comprehensive strategy, an inventory of your IT assets, dedicated resources, a threat response strategy.
  2. In a sense, the tone is set by the state, which has announced a course towards a digital economy that encompasses all spheres (from healthcare and education to transport and finance). This policy directly affects the growth of the IT sector in general and information security in particular.

The cost of security vulnerabilities

All of this is instructive, but every business is a unique story. The question of how much to spend on information security from the general IT budget of the company, although not correct, but, from the point of view of the customer, is the most pressing one.

International research company IDC on the example of the Canadian market calls optimal 9.8-13.7% of investments in cybersecurity of the total IT budget in the organization. That is, now the Canadian business spends on average about 10% for these needs (it is believed that this is an indicator of a healthy company), but, judging by the polls, it would like to be closer to 14%.

Companies have no reason to wonder how much they need to spend on their information security in order to feel calm. Today, assessing the risks from cybersecurity incidents is no more difficult than calculating the losses from physical threats. There is a worldwide statistics , according to which:

  • Hacker attacks cost the global economy more than $ 110 billion annually.
  • For small businesses, each incident costs an average of $ 188,000.
  • 51% of hacks in 2016 were targeted, that is, organized criminal groups against a specific company.
  • 75% of attacks are carried out with the aim of causing material damage, financially motivated.

In the spring of 2018, Kaspersky Lab carried out its large-scale study ... According to a survey of 6 thousand company specialists around the world, the damage from hacking corporate networks and data leaks has grown by 20-30% over the past couple of years.

The average cost of damage for February 2018 for commercial organizations, regardless of size, scope of activity, was $ 1.23 million. For SMEs, a staff error or the successful actions of hackers cost 120 thousand dollars.

Feasibility study for information security

In order to correctly assess the financial resources necessary for organizing information security at the enterprise, it is necessary to draw up a feasibility study.

  1. We carry out an inventory of IT infrastructure and assess risks, compile a list of vulnerabilities in descending order of importance. Reputational losses (an increase in insurance rates, a decrease in the credit rating, the cost of downtime of services), the cost of restoring the system (updating equipment and software) are also included here.
  2. We list the tasks that the information security system should solve.
  3. We select equipment, tools for solving problems, and determine its cost.

If the company does not have the competencies to assess cybersecurity threats and risks, you can always order an information security audit on the side. Today this procedure is short-lived, inexpensive and painless.

Industrial companies with a high level of process automation experts recommend use an adaptive security architecture model (Adaptive Security Architecture), proposed in 2014 by Gartner. It allows you to properly reallocate information security costs, paying more attention to the tools for detecting and responding to threats, and implies the implementation of a monitoring and analytics system for the IT infrastructure.

How much cybersecurity costs for small companies

The authors of the Capterra blog decided count up how much the information security system costs on average for small and medium-sized businesses in the first year of use. For this was chosen list out of 50 popular "box" offers on the market.

It turned out that the range of prices is quite large: from $ 50 per year (there are even 2-3 free solutions for small companies) up to 6 thousand dollars (there are single packages and 24 thousand each, but they were not included in the calculation). On average, a small business can count on $ 1,400 to build a rudimentary cyber defense system.

The cheapest are technical solutions such as a business VPN or security Email that will help protect against specific types threats (such as phishing)

At the other end of the spectrum are complete monitoring systems with “advanced” event response and comprehensive protection tools. They help to protect corporate network from large-scale attacks and sometimes even allow predicting their appearance, stopping them in the early stages.

The company can choose several models of payment for the information security system:

  • Price per license, Average price - $ 1000-2000, or $ 26 to $ 6000 per license.
  • Price per user. The average cost of an information security system per user in a company is $ 37; the range is from $ 4 to $ 130 per person per month.
  • The price for the connected device. The average cost for this model is $ 2.25 per device. The price ranges from $ 0.96 to $ 4.5 per month.

To correctly calculate the cost of information security, even a small company will have to implement the basics of risk management. The very first incident (the site, service, payment system), which cannot be corrected within 24 hours, can lead to the closure of the business.

Heading: Ios
Share this