The reasons for the increase in the cost of ensuring information security, in connection with the increase in the level of development of the digital economy have been revealed. One of the main reasons is the ever-increasing amount of information that needs to be stored and analysed. According to IDC forecasts, by 2025 the volume of data worldwide will increase by 10 times compared to 2017. The average costs of restoring companies ‘ activities related to cybercrimes have been given. The costs of information security are formed under the influence of many factors, the most important of which are cyber threats. The content of cyber threats on the example of industrial enterprises has been considered.The number of cyber threats is constantly growing in the world, their complexity and diversity increase depending on the object of the attack, goals and objectives. The most common types of cyber attacks in the world has been considered in the article, the mechanism of their implementation, their source and the scale of damage they cause, have been described.In connection with the transition to a digital economy, the number of cyber threats is constantly growing. In 2018, 4.3 billion computer impacts on critical infrastructure were identified in Russia (2.4 billion in 2017). Of these, more than 17 thousand are the most dangerous computer attacks. Bot networks of 30 thousand computers in 86 countries were used for these purposes. The average costs of medium-sized companies to eliminate the consequences of only one cyber incident in Russia are about 1.6 million rubles, and for large businesses - 16.1 million rubles.The recommendations to companies to consider the cost of information security as a strategic investment, ensuring the continuity of their business processes, which create advantages in an era of rapidly developing cyber threats, have been substantiated in the article. For the purposes of selecting and analysing the sources of costs of companies to provide information security, it has been proposed to classify them into 9 categories. The results of the analysis will allow companies to determine the main directions of priority financing of measures to reduce the level of losses from information security incidents and to form reasonably information security budgets
