Advocating for the return on investment (ROI) in IT security has traditionally been a challenge for IT professionals to communicate to management. IT teams are responsible for the complicated task of balancing budget limitations with strong protection that will reduce the risk of a cyberattack in today’s dynamic threat landscape. However, according to a recent Kaspersky Lab report, businesses are starting to invest more in IT security rather than treat it as a cost center.

In North America, the portion of IT budgets spent on security has increased over the past year among enterprises and small and medium-sized businesses (SMBs). Despite this trend, justifying IT security spend is still essential, and it continues to become more complicated as new cyber threats emerge.

Creating a plan for IT security budgets and making a strong case to management is critical. Below are three key points to help justify why it’s important for businesses to keep their cybersecurity strategies updated – both in terms of budgets and their approach.

Cybersecurity incidents are expensive and can disrupt business operations.

Businesses of all sizes and industries are realizing that they have to prioritize cybersecurity because falling victim to an attack comes with a hefty price tag. Not only do organizations typically have to hire external security consultants when experiencing a cyberattack, but they may need to purchase new software, hire legal counsel and professionals to manage the company’s reputation during the crisis. Due to the extensive financial risk, enterprises globally now spend almost a third of the IT budget ($8.9M) on cybersecurity and budgets are expected to increase by 15 percent over the next three years across organizations – small and large.

In addition to being costly, cyberattacks also have the ability to spread far and wide and cause a major disruption to the business. For example, WannaCry stopped the production lines of five Renault factories, while exPetr disrupted business operations at the world’s largest container ship and supply company, which resulted in financial losses between $200M and $300M.

Along with presenting a risk to current business operations, cyber incidents also have the potential to impact future-focused business initiatives. Digital transformation and business mobility require organizations to operate a growing IT infrastructure. The issue is that organizations often lack visibility into their hybrid cloud environments – presenting a huge corporate data security risk. The Zepto ransomware, which was spread via cloud storage apps, is a prime example of this type of threat.

With costs rising and crucial business operations being put at risk, top management needs to be more involved in the cybersecurity provisioning debate. In addition to discussing the best protection for their own infrastructure, they also need to take a closer look at those that they do business with.

Even if your corporate perimeter is protected, you cannot be so sure about your suppliers.

It’s important to understand that a data breach can happen even if the business’s own corporate network has the necessary level of protection – through supply chain attacks or breaches as a result of vulnerabilities in third-party legitimate software.

We saw the groundbreaking breach of American retailer Target, when criminals gained access to the company’s network credentials through its ventilation and air conditioning vendor. This was followed by the Equifax breach, which was hacked through a vulnerability in legitimate open source software. The hackers gained access to databases, stealing 145.5M accounts with crucial client data such as names, Social Security numbers, dates of birth, addresses and even credit card numbers.

The costly nature of data breaches today stems from the trust businesses place on third-party organizations. According to a recent report, third parties are the source of the most costly type of incidents. In fact, for enterprises and SMBs in North America, the top expense is the same as SMBs globally – with both paying the most for incidents affecting IT infrastructure hosted by a third-party at $163K for SMBs and $1.75M for enterprises on average.

For enterprises, data protection remains a critical issue even if a threat is outside the corporate perimeter. Company data could be stored in multiple locations – making cybersecurity even more of a challenge that cannot be ignored.

The organization’s business data can be accessed from anywhere.

It’s no secret that cloud services offer many benefits to businesses, from taking advantage of a more efficient remote workforce, to reducing infrastructure costs and optimizing business operations. As such, 73 percent of SMBs use at least one SaaS hosted business application, while 45 percent of enterprises have either already raised or are planning to grow their use of hybrid cloud in the next year.

While business management may see this growth as an opportunity, as organizations move more and more data to the cloud, the security risks of data “on the go” also increases. Data “on the go” is data that is actually stored outside of the corporate data center — e.g. in third-party IT infrastructure. IT security professional and business management need to work together to ensure that they know where their crucial business data is being stored and have a security strategy in place that will protect them from new security issues and costs. It’s very important to consider a dedicated level of cybersecurity when moving workloads to cloud platforms.

To summarize, these three insights can help IT professionals explain why cybersecurity should be prioritized across companies in any industry. This is a prevalent issue for companies of any size, because virtually every company today does business with third-party contractors, cloud infrastructure and a growing amount of sensitive business data.

To achieve an advanced level of cybersecurity, businesses must implement cybersecurity as one of the core functions across their IT infrastructure and have a candid conversation with business management about making it a top priority. Businesses need to realize the responsibility for their own data and budget for IT security for their current and future environments without relying on providers.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.