Does fear really sell? Analysis of data from 2019-2024 debunks a popular myth in the industry. Although the number of cyber security incidents in Poland increased by more than 1,500% during this period, the market for security services and solutions grew by “only” around 120%. Where is the reason for this gap and why does the SME sector still remain a ‘no-man’s land’ for integrators?
For years, the commercial narrative of the IT industry has been dominated by a simple logic: the more threats, the more customers spend on protection. The market reality of the last five years, however, shows that this correlation is much weaker than it might seem. There is an unprecedented asymmetry – while the threat curve is climbing exponentially, the revenue curve of technology providers is growing at a linear rate, stable but far from explosive.
Battle landscape: Escalation of 1,500 per cent
To understand the scale of the disparity, we need to look at hard data on the ‘supply’ of threats. Statistics from CERT Polska (NASK) over the last five years paint a picture of a digital battlefield that has been completely transformed.
Back in 2019, considered the last year of the ‘old era’, CERT Polska recorded 6,484 security incidents. Even then, there was talk of records. However, the real shock came in 2020 and the pandemic, when the number topped 10,000. This was just the beginning.
The following years have had a snowball effect. In 2021, nearly 30,000 incidents were recorded, and 2023 closed with more than 80,000 recorded incidents. Preliminary estimates and communications for 2024 show a further dramatic increase, with the number of incidents exceeding 100,000 (an average of 300 per day).
The mathematics are inexorable: in five years, the volume of successful attacks and incidents has increased by nearly 1500%. If the market had reacted directly in proportion, the cybersecurity industry should be the largest sector of the digital economy today. However, this is not the case.
Market: Solid growth, but no euphoria
Juxtaposing these figures with the financial performance of the cybersecurity sector reveals a fundamental ‘divergence’ (decoupling). According to analyses by the research company PMR, the value of the cyber security market in Poland in 2018 was PLN 1.14 billion. Forecasts for 2024 oscillated around PLN 2.5-3 billion.
This means that at the same time as the number of attacks has increased fifteenfold, the market has grown by around 120-140%. This is a very good result compared to other IT branches, but it clearly shows that the elasticity of demand for security is low. Each additional thousand attacks generates a relatively small increase in new budgets.
Eurostat data (NACE classification 62.09) and the services price indices (PPI) confirm this trend – there is a steady increase in turnover, but there is no question of a jump to match the scale of the risks.
Diagnosis: Why are SMEs not buying security?
The key to solving this conundrum is the structure of the Polish economy. While the banking sector and large corporations (Enterprise) invest adequately for the risk, the SME sector – which is the backbone of the economy – lags behind. This phenomenon can be called the ‘investment gap’.
1. financial barrier and microbudgets
The average annual expenditure on cyber security in SME companies is only PLN 24,000. When juxtaposed with the cost of modern SIEM, EDR or specialist salaries, this amount is a drop in the ocean of needs. It allows the purchase of basic licences, but not to build real resilience.
2. awareness vs. practice
ESET and Dagma’s 2024 research is alarming: as many as 41% of Polish companies do not even use anti-virus software. Despite the fact that 87% of companies consider digitalisation to be crucial and 88% have experienced an incident in the last 5 years, a ‘somehow it will be done’ attitude still persists.
3 Technology debt and Shadow IT
Many companies migrate to the cloud (SaaS), mistakenly assuming that security is included in the price of an office suite subscription. These expenses are often not classified as ‘cybersecurity’, which understates the market statistics, but also puts to sleep the vigilance of businesses that do not invest in additional layers of protection (backup, training).
What really drives the market?
Analysis of the data leads to the conclusion that the number of attacks is not the main driver of sales. Polish companies are reactive rather than preventive. The real ‘engine’ of spending growth is two other factors:
- Paralysing Incident(Ransomware): Only an attack that encrypts data and stops production opens the board’s portfolio. Minor incidents (spam, phishing) are ignored.
- Regulation (Compliance): The spike in reported incidents in 2020 coincided with the implementation of the KSC Act. The market is now waiting for the effect of the NIS2 directive. It is the threat of administrative penalties (up to 2% of turnover), not hackers, that will force thousands of entities to make real investments between 2025 and 2026.
The future belongs to companies that will offer security as a scalable service (Managed Security Services), taking the burden of hiring expensive experts off the customer’s shoulders, and to those that combine technology with legal support for NIS2 requirements in their offerings. This is the only way to bridge the gap between the growing graph of attacks and the flat graph of spending.
