On average an Australian firms can expect at least one major security breaches every two years…
According to a recent report by Osterman Research, Australia’s companies spend 26% less than the global average on IT security compared to US, UK, Germany and Singapore.
Despite Australia’s security professionals’ salaries being among the highest in the world, Australia’s overall annual investment in cybersecurity was ranked the lowest (US$861,789) amongst the five countries surveyed, with an estimated global average of US$1,167,178.
The findings confirmed cyberattacks are a reality which effect 73% of small-to-medium businesses (SMBs) worldwide. Whilst only 67% of Australian firms reported having faced some form of security threat, this 6% discrepancy does not explain the nation’s 26% lower expenditure on IT security.
Australia And Germany: A Comparison In IT Security Spending
The results of such an underinvestment are seen in a comparison between Germany and Australia. Australian SMBs spend 22% of their security budget on responsive measures (direct costs, fines and legal costs) in the wake of a “major” security incident. In comparison, Germany spends considerably more on preventative security (IT labour and software/hardware solutions) and only 6% of its security budget goes towards responsive measures when remediating a “major” security event.

Figure One: Amounts that would be spent remediating a “major” security event
In the comparative graph below, Australia faces a medium risk of a major security incident, that being 0.6 breaches per firm, per year. On the other hand, Germany only experiences 0.4 major security incidents per firm, per year. Therefore, on average an Australian SMB can expect 1.2 major security breaches every two years whilst a German firm can expect 1.2 major securities events every three years.

Figure Two: Frequency of major security events during 2017
The reason Australia and Germany differ so greatly in regards to their investment in cybersecurity is largely attributed to cultural attitudes. For example, German SMBs experience far lower levels of ransomware attacks but are much more likely to consider them a “very serious” threat. In addition, Australian firms are the least concerned respondent about phishing email scams despite evidence of their growing complexity.

Figure Three: Percent of key security threats considered to be very serious
PREVENTATIVE VERSUS REACTIVE IT EXPENSES
Even though German firms invest heavily in preventative IT security, they only spend marginally more than Australia in overall IT security. Therefore, by spending more in IT labour and software and hardware solutions they consequentially experience fewer costly major security events which make up a higher proportion of Australian IT security expenses.

Figure Four: Total annual security costs for a 2500-employee organisation
A major security event for this study was considered to be an incident that “would cause significant disruption to an organisation’s operations… or completely shut down an organisation’s computing infrastructure for a day more.” According to that definition, Australia’s top companies with around 1000-2500 employees: Kennards Hire ($337 million p/year), Mecca Cosmetics ($500 million p/year) and Atlassian ($874 million p/year) would stand to lose between AU$1 million to AU$2.4 million a day.
ABOUT THE SURVEY
The report, commissioned by the security software firm Malwarebytes, surveyed 900 senior IT managers across a wide section of industries. The majority of industries surveyed were manufacturing (10%), financial services (10%), retail (9%), technology (9%) and healthcare (9%).
The respondents had to meet two criteria in order to take part in the study. Firstly, they must be involved in managing or working on cyber-security-related issues in their organisation. Secondly, their organisation must have between 200 and 10,000 employees. As a result, the research provides a good sample size for the state of IT security investment for SMBs worldwide.