Cyber Security Spending Is Going Up, but Cyber Crime Is Not Slowing Down
Money is not the only resource your company needs to enhance its cyber security
Happy New Year everyone!
Instead of dedicating our first post from 2017 to reviewing 2016’s cyber security facts and figures, we decided to examine a topic that concerns us all, individuals and organizations alike:
Why are the increased investments in cyber security not enough to curb the relentless growth in cybercrime?
Simply asking this question may cause defensive reactions, both from security specialists in organizations and from those part of security tech vendors. However, the point here is not to polarize, but to share our reflections on the potential causes for this imbalance.
Cyber security spending is growing like never before
Historically, the lack of an adequate budget has been a key challenge in addressing cyber security issues in organizations both private and governmental. CISOs, CIOs and other security executives have struggled for years to get their budget requests approved, so they can put at least satisfactory safeguards in place.
As a result of the growth tendency of the infosec industry – which, naturally, correlates to the development of the IT industry as a whole – this problematic situation has changed significantly in the past years.
Never before have companies and government institutions invested so much money in cyber security, both in terms of technology and human resources.
Last year, an ISACA and RSA Conference survey revealed that:
61% surveyed state that they expected an increase in their cybersecurity budgets in 2016
In addition to increased spending on cybersecurity, 75 percent of respondents report that their organizations’ cybersecurity strategy now aligns to enterprise objectives.
$81.6bn Gartner also predicted an increase in financial resources assigned to cyber defenses, based on several key indicators and market trends, anticipating that “worldwide spending on information security products and services will reach $81.6 billion in 2016, an increase of 7.9 percent over 2015.”
In terms of spending priorities, the IDC Worldwide Semiannual Security Spending Guide emphasized three key sectors:
The largest segment, managed security services, is forecast to generate revenues of $13 billion this year . Security software will be the second largest category in 2016, with endpoint security, identity and access management, and security and vulnerability management software driving more than 75% of the category’s revenues. Finally, security hardware revenues will reach $14.0 billion in 2016, led by purchases of unified threat management systems.
But so are cyber attacks
What actually happened last year confirmed these investment predictions, but it also faced security executives with a difficult problem: a large increase in cyber attacks. Much larger than anticipated.
Of course, the industry expected this would happen, but even the most versed of experts were taken aback by the most serious cyber crimes of 2016. From the biggest data breaches that ever happened to equally historical DDoS attacks and the explosive growth of ransomware, we saw Sci-Fi scenarios turn into grim reality.
The dramatic climb in cyber crime rates during last year brought on massive financial impact for the victims. Organizations lost clients, money, their reputation and they faced legal consequences. Internet users like you and me lost their data, their privacy and their money, either to ransomware or other types of financial malware.
The reason the problem is growing despite increased spending is that we only saw the tip of the iceberg in 2016. The tech industry has only begun to grapple with the magnitude and complexity of the cybercrime waves we’re dealing with.
As attacks will grow bigger, more disruptive and more frequent, our defences, both personal and organizational, will also need to be stronger and more sophisticated. The escalation will continue in 2017 and beyond.
Why throwing more money at the problem won’t solve it
Many companies will strive to allocate as much money as possible for information security this year. Many of them are doing it as we speak, as they refine and establish yearly budgets. This may happen because of the fear of being successfully compromised, because of regulatory pressure or maybe due to the fact that the CEO and the board truly understand why cyber security needs to be a priority to ensure business continuity.
Whatever the reason, the increase in cyber security spending will continue, maybe even climbing faster than anticipated.
In this rush of getting things done fast (cybercriminals don’t wait) and as effectively as possible, some security executives may end up making the wrong choices. Not because they want to, but because they’re under a lot of pressure.
We’re not only saying this from the perspective of the security vendor who wants to increase market share. We’ve seen this happen in the industry.
More money invested in security technology is not the only thing that organizations need. Effective spending has to be based on a clear understanding of what security priorities the company has.
Having more tools in the organization doesn’t necessarily make managing cyber security easier. What really helps is having the right tools for the job. When piling more technology layers than necessary, conflicts between software may appear and they can make life more complicated than it already is. Always choose quality over quantity.
Focusing on the right things for your organization
In 2017, our key advice circles back to the same theme we’ve been going on about for a while now: covering the basics. This involves at least 4 key things, from our perspective:
- Automating patching, so you can save time and deploy updates fast, safe and silently. Closing security holes is essential in any company, both inside the active directory and outside of it, especially if your organization is BYOD friendly.
- Ensuring that adequate traffic filtering layers are in place is also key. Being able to spot and block malicious traffic that’s trying to compromise your computers is crucial. And so is scanning your outgoing traffic, so you can detect data exfiltration attempts and block those as well, keeping your confidential information from reaching cyber criminals’ servers.
- Focus on employee education. We can’t emphasize this enough! Social engineering lies at the core of most cyberattacks and empowering employees to recognize threats can have a much bigger positive impact than you can imagine. Train them to be cyber savvy and treat them as part of your infosec team, because they are! Too many cyber attacks start with an innocent click on a malicious link or with an unsuspecting download.
- Move from simply reacting to ongoing cyber threats and dedicate more resources to proactive protection. The need for this shift is more acute than ever. Prevention is cheaper and more effective than mitigation and there are simple things you can do for this (see the points above).
The reality is that we work in an industry where we need each other. Companies, security vendors and users need one another:
- to keep track of multiplying cyber threat sources;
- to navigate and secure complex IT systems;
- to train and recruit knowledgeable security staff;
- to manage challenging and evolving regulatory demands;
- and to encourage and motivate one another in the fight against cybercrime (which is never ending, according to experts).
This year, choose those vendors who can keep you up to date on trends and who can work with you to help you according to your specific needs.
And, most of all, make sure to follow up on cyber security acquisitions and use them to the full extent of their potential, because otherwise their effectiveness won’t have the impact you expect. Buying security tech is one thing, but we know that implementing it is a challenge by itself, which is why resources are left unused. Address this implementation disconnect to make sure your company is getting the most of its investments.
What are you looking to achieve in 2017, cyber security wise? Share your thoughts below.