A new joint study by Deloitte and the Financial Services Information Sharing and Analysis Center highlights the budget impacts establishing and maintaining cybersecurity.

There is no greater threat to an organization’s livelihood than a highly-publicized and costly cyberattack. Data breaches, data held ransom, and wire fraud can cost organizations millions of dollars in remediation costs – and additional costs stemming from the loss of customers, consumer trust, etc.

So, it’s important for organizations to dedicate an appropriate amount of budget to address cybersecurity concerns. According to the Pursuing Cybersecurity Maturity at Financial Institutions study put out by Deloitte, financial institutions spend a tremendous amount on a per-employee basis ($2300), but it may not be enough.

According to the report, the average spend dedicated to cybersecurity as a percentage of revenue is 0.36%, just 10% of the overall IT budget. This translates to an IT budget (as a percentage of revenue) of just 3.6%.

According to a 2017 Deloitte study, Technology Budgets: From Value Preservation to Value Creation, the Banking and Securities vertical spent 7.16% of revenue on IT. That’s represents a significant drop in IT (and, therefore, cybersecurity focus).

Deloitte encourages organizations (financial and otherwise) to work towards an adaptive level of cybersecurity maturity (as defined by NIST) and offers these three characteristics of adaptive organizations:

They secure leadership and board involvement – this is critical, as Deloitte has previously pointed out that CEOs and Boards are unprepared for cyber risk.

– this is critical, as Deloitte has previously pointed out that CEOs and Boards are unprepared for cyber risk. They align cybersecurity more closely with business strategy – keeping security in focus as businesses adopt new technology and digitally transform is key to growth while reducing risk.

– keeping security in focus as businesses adopt new technology and digitally transform is key to growth while reducing risk. They raise cybersecurity’s profile within the organization beyond IT – creating a security culture is necessary for the thriving of the modern-day business. Organizations utilizing Security Awareness Training elevate a user’s understanding of why cybersecurity is necessary, what their role is in it, and how to maintain productivity and organizational security simultaneously.

While financial organizations are spending what appears to be a tremendous amount of budget per employee on cybersecurity, the reality is they need to be doing more to fend of attacks that will do more damage per employee than just $2300.