Cybersecurity is an investment, not a cost: how to calculate the ROI of protecting your company

Do you treat cybersecurity as a line item in the IT budget? That is the most expensive way to think about it. In 2024, 83% of Polish companies faced an attempt to breach them, and the average cost of a single incident passed one million złoty. The good news: you can put a number on protection the same way you would on any other investment. Here is what a lack of defenses really costs and how to calculate the return (ROSI), so you can talk about security in the language your board understands.
A cyberattack is now an economic risk
Every business runs on digital infrastructure today. A cyberattack is an economic risk, the kind that shows up on the balance sheet. Global losses from cybercrime reached 9.5 trillion dollars in 2024.
Poland is heading the same way. In 2024, reported breaches rose 60% against 2023, and confirmed incidents rose 23%. CSIRT NASK handled 103,449 cases, 29% more than the year before, and the average daily incident count climbed from 220 to 283. An attack attempt hit 83% of Polish companies, up 16 percentage points year over year.
At numbers like these, treating cybersecurity as nothing but a cost is outdated and, frankly, risky. It is an investment that protects your most important assets, builds resilience, and opens new contracts. This article shows that proactive spending on protection comes out far below the cost of an incident.
What a lack of security really costs
Weak defenses carry a real, many-sided risk. The cost of an attack rarely ends with fixing systems. Add fines, downtime, and the hardest loss to win back: trust.
Incident numbers in Poland: what they cost
Attacks on Polish companies come often. An incident is now the norm: more than half of businesses have already been through one.
The consequences are concrete. The average cost of a single incident for a Polish company passes one million złoty, and the longer it takes to detect and contain a breach, the faster the bill grows. There is a ransomware lesson on top of that: companies that paid the ransom still took losses on par with those that refused. Giving in to blackmail rarely pays off.
The trend is clear. In 2024, CSIRT NASK also logged 57% more serious incidents, the kind that put an institution's ability to keep operating at risk.
Even so, some companies underrate the risk. Close to 25% of businesses in Poland made no security improvements in 2025, and 54% report no serious failure in the past year, which more often means undetected incidents than genuine calm.
The takeaway is simple: a company that puts off security only stockpiles the risk it thinks it is avoiding. Prevention usually costs far less than response, and response can threaten the cash flow, even the survival, of a small or midsize company.
Fines, damages, and direct losses
The direct financial hit can be devastating, and it starts with regulatory fines. Under Article 83(5) of the GDPR, a fine for a data breach reaches 20 million euros or 4% of total annual worldwide turnover, whichever is higher.
This is not theory. Poland's data protection authority (UODO) fined Morele.net 3.8 million złoty for a breach that exposed 2.2 million people. The case went back to the courts for years, running up more legal costs. One fine like that can wipe out the savings from years of skipping security spend.
The second big burden is ransomware. The average ransom in 2023 reached 3.9 million dollars, more than 250% up on the year before. Paying does not guarantee you get the data back, and losses grow anyway: rebuilding systems, damages, and handling the legal and PR crisis.
The point for the board: investing in GDPR compliance, and soon NIS2 and DORA, works like an insurance policy. Avoiding a single fine can pay back the cost of many years of security. That is a return measured in costs you never paid.
Losing reputation and trust
Money is one side. The other, often harder, is the loss of reputation and trust. In digital business, credibility is an asset that feeds straight into revenue.
The effects are real on both sides of the relationship. 59% of companies pointed to a loss of partner trust, and customers move to competitors after a breach. The Polish market offers telling examples:
- ALAB Laboratoria (November 2023). The largest medical data breach in Poland's history: 246 GB, including test results and personal data of about 200,000 clients. The result was a risk of identity theft and a wave of phishing that impersonated the lab.
- Allegro (2023). A shared file held more than 6 million rows of login data for accounts across nine domains, banks among them, and separately the data of 88,000 users leaked. Events like this reach the media within hours.
- Santander Bank Polska (June 2024). The ShinyHunters group exploited a flaw in the bank's systems, threatening to expose the data of millions of customers and drive up phishing attacks.
A breach hits the supply chain too: partners fear the next one and back out of the relationship. Investing in security is therefore an investment in trust capital and the long-term value of the brand.
Operational downtime: a stalled business and lost profit
An attack can stop a company, and downtime is lost revenue, plain and simple. For most companies, service availability is critical.
The most common cause of downtime is DDoS attacks, which overload servers and links. In February 2024 they hit Polish institutions, including PKP railway systems and government sites. In July 2024 the targets were airport sites in Gdańsk, Rzeszów-Jasionka, and Poznań-Ławica, making it hard for travelers to reach information.
Ransomware can paralyze a company by encrypting its most important systems. In December 2024, an attack on Kraków's public transport operator MPK disrupted online ticket sales, the website, and other systems, with a risk of leaking passenger and staff data.
The cost is direct. Cleaning up after a breach takes as long as 85 days on average, which means weeks of limited sales and service. Investing in security is investing in continuity, and continuity is easy to price: just add up the loss from one hour or one day of downtime.
Cybersecurity as an investment: a measurable return (ROSI)
To move from thinking about cost to thinking about investment, you have to be able to count the benefit. That is what the ROSI metric is for: it shows the real return on security spend.
How to calculate the ROI of protecting your company (ROSI)
ROI (Return on Investment) measures how effective an investment is, as the ratio of net gain to capital invested. In security we use a variant, ROSI (Return on Security Investment). ROSI shows how much a given control reduces your potential losses, relative to what that control costs.
You calculate it from three variables:
- ALE (Annual Loss Expectancy). The expected annual loss from a given risk. It comes from two parts: SLE (the loss from a single incident, direct and indirect costs) and ARO (the annual frequency of the event). Formula: ALE = SLE x ARO.
- Risk reduction. The percentage drop in the likelihood or impact of an incident thanks to the control you put in place.
- The cost of the solution. Every cost of putting it in place: licenses, hardware, training, procedures, and upkeep.
The ROSI formula runs like this: ROSI = (the reduction in financial losses minus the cost of the solution) divided by the cost of the solution, times 100%.
A sound calculation depends on an honest estimate of the losses: lost revenue, downtime, fines, data recovery, and customer churn. Without that you cannot build a real prevention budget.
ROSI turns abstract risk into numbers the board and finance can read. It justifies the spend and sets priorities: first the control that cuts losses most per złoty spent.
The example below shows ROSI for an investment in penetration testing.
Table 1. A sample ROSI calculation for penetration testing
Reading it: a ROSI above zero means the investment pays off. Here every złoty invested comes back as 1.40 złoty in losses you never had to cover.
Offensive security shapes this result too. Penetration tests and red teaming simulate a real attack and find the gaps, including gaps in your own defenses, before an attacker does. Fixing them ahead of time cuts potential losses directly.
The long-term financial upside
Security spend shows up right away, but over a longer horizon it pays back mainly by avoiding costs.
Solid defenses help you avoid fines (GDPR, and soon NIS2 and DORA), damages, and the cost of rebuilding systems after ransomware. Companies that leaned on AI and security automation lost 3.05 million dollars less on average than those with traditional tools.
Security also lowers cyber insurance premiums. A company with controls in place and a trained team is less risky to the insurer, so it pays less. The policies themselves cover lost profit, data recovery, crisis handling, GDPR fines, and theft of funds, among other things. They back up your defenses but cannot take their place.
The market has already priced this in. Polish companies put 6 to 10% of revenue into IT, of which 6 to 13% goes to cybersecurity, and those budgets grow about 30% a year. Global security spend will rise 12.2% in 2025 and reach 377 billion dollars by 2028, while the cost of cybercrime alone will pass 10 trillion dollars a year. Security is a predictable expense in place of an unpredictable loss.
Business resilience and continuity
With attacks on the rise, the biggest benefit is business resilience and continuity: the ability of your systems to keep data confidential, intact, and available despite attempts to breach them.
The goal is more than stopping an attack. It is limiting the damage and getting back to normal work fast. Well-protected critical infrastructure and core processes keep running even under pressure.
Healthcare shows this clearly. Investing in security protects patient data and keeps a facility's systems and finances running, and every minute of downtime in access to medical services bears directly on patient health and on reputation.
Resilience, the ability to survive a disruption and recover fast, is a real competitive edge. A company that has it protects revenue even mid-crisis. It belongs in business planning, well beyond the IT department's task list.
Trust, reputation, and competitive edge
Data has become currency and privacy a priority. Security has moved past being a technical requirement; it now builds trust, reputation, and advantage.
Customers check whether you look after their data, and they pick the companies that can prove it. Security feeds straight into buying decisions and opens the door to new partnerships.
Certifications become the proof. The national “Firma Bezpieczna Cyfrowo” mark (NASK) confirms a mature approach to protection, and the Common Criteria certificates that NASK can issue are recognized in 32 countries and used in NATO procedures. The Sejm also passed a law on a national cybersecurity certification system, with certificates recognized across the EU.
Boards see it: 85% of chief executives call cybersecurity important for the company's growth. It has stopped being a “defensive cost” and become an investment that wins market share, especially in regulated and data-sensitive sectors.
Table 2. Key benefits of investing in cybersecurity
The main areas to invest in, and the challenges
Effective protection needs investment across several areas at once: technology, people, and regulatory compliance. Polish companies face real challenges here, and a real chance to get ahead.
Technology: AI and offensive testing
Artificial intelligence is changing security on both sides. AI systems process huge volumes of data in real time, catch subtle patterns, cut the average time to detect an incident from 101 to 20 days, raise detection accuracy by 12%, and save analysts 39% of the time they spend on routine work.
AI cuts both ways, though. Attackers use it to automate attacks and build deepfakes that are hard to tell from reality, and careless use of GenAI tools risks leaking company data. Rolling out AI therefore needs its own risk assessment.
This is where penetration testing and red teaming come in, the necessary complement to your defenses. A pentest is a controlled simulation of an attack on systems and applications, while red teaming tests the whole organization: technology, procedures, the team's response, and staff alertness.
This is necessary, because even advanced systems like EDR get bypassed, for example by the HRSword tool that switches protection off. Regular tests verify how well your controls hold up in real conditions, and AI-assisted simulations raise the rate of finding flaws by as much as 55%. Security with AI is a constant race; a one-time purchase never keeps pace.
The human factor: training and skills
For all the technology, people remain the most common cause of incidents. 84% of companies, and as many as 94% of Polish SMEs, pointed to a lack of security awareness among staff. Phishing and social engineering are the biggest threat today because they target human reflexes, where no code patch helps.
On top of that comes a talent shortage. Poland is short as many as 17,500 specialists, there are seven openings for every candidate, and 68% of companies report gaps in their teams.
The answer is a mix of training, hiring from outside IT, and outsourcing. The key piece is regular social engineering simulations and red teaming, which put staff resistance to phishing and vishing to a realistic test and point out the weakest links. The Cyber-EXE Polska exercises are a good example: 18 institutions took part in 2024, including the largest banks.
Investing in people cuts risk directly. A person can be the weakest link, but a well-prepared one becomes the first line of defense.
Regulatory compliance: NIS2, KSC, DORA
New regulations increasingly shape security in Poland and the EU, raising the bar in the most important sectors.
The NIS2 directive extends the rules to thousands of “essential” and “important” entities, placing obligations on them for risk analysis, security policies, supply chain protection, and incident reporting.
The financial sector falls under the DORA regulation, with a compliance deadline of January 17, 2025. It requires logging ICT incidents and significant threats and making continuity after an incident a priority.
In parallel, the amendment to the National Cybersecurity System act (KSC) is due to be in force by the end of 2025, with an obligation to report incidents to central registers, among other things.
The problem is that many companies drag their feet, and nearly one IT director in three overrates their organization's resilience. This is where penetration testing and attack simulations help: they reveal the gaps and prove that the controls in place actually work, which audits for GDPR, NIS2, and DORA often require.
Fines reach 4% of global turnover, so compliance is now a legal and economic requirement. A company that adapts early avoids the costs and shows market maturity.
Working together: who to partner with
No company fights these threats alone. Poland has a broad network of institutions, organizations, and companies that supply knowledge, tools, and support.
The backbone is the National Cybersecurity System, coordinated by the Ministry of Digital Affairs, with three national-level CSIRT teams: NASK (citizens, companies, digital service providers), GOV (public administration and critical infrastructure), and MON (military systems). In the financial sector there is the ZBP Bank Cybersecurity Committee and the FinCERT.pl unit, the lead body for sharing threat information among banks.
Private companies drive the market too. Outsourcing security work is common: 81% of organizations used it in 2024. Handing part of your protection to certified partners lets you focus on your own business without building everything from scratch.
The best results come from combining three sources: public resources, cooperation with industry ISACs (like FinCERT.pl), and partnership with outside experts. That matters most when specialists are scarce, because it improves your security posture faster at a reasonable cost.
Invest wisely, gain safely
Attacks keep getting more frequent, smarter, and more expensive, so cybersecurity has outgrown the role of a routine operating cost. It is a strategic investment that shields the company from fines, lost reputation, downtime, and lost revenue. In Poland this risk is common and growing, and ignoring it can be fatal for a business.
By investing in security you cut risk, build resilience, earn the trust of customers and partners, and meet the requirements of GDPR, NIS2, and DORA. And with ROSI you can back every expense with numbers instead of generalities.
The key is to stay proactive: developing your defenses (AI included), building the team's awareness and skills, running regular penetration tests and red teaming, and making smart use of the support available. Invest sensibly today so you can grow the company tomorrow without watching for the next attack.
Book a free consultation and we will help you estimate how much well-planned security actually saves.