If asked, almost any C-level executive would affirm that cybersecurity is a top priority for his or her organization. The high costs of a data breach as well as its long-lasting damage to reputation have made comprehensive network security seemingly as close to a no-brainer as there is in the enterprise. Adobe, eBay, Target: There's no shortage of examples of what can happen when security takes a backseat to tradition and convenience.
Cybersecurity as lip service: Investment lags intent
But what if so much cybersecurity strategy were actually just lip service? It's a sobering hypothesis, but one that is worth taking up in light of the gap between what's said and how much is actually invested.
While there is tremendous pressure on retailers, banks and government agencies to spend more on cybersecurity, there hasn't been the concomitant spike in outlays that one might expect, given the current threat environment:
- According to IDC Retail Insights, U.S. stores still dedicate only two percent of their technology budgets to security, even with overall spending expected to rise four percent between 2012 and 2017. Many retailers meet the baseline requirements set by the Payment Card Industry but go no further due to limited resources and the need to divert them to revenue-producing initiatives.
- IT spending as a whole has been weaker than expected in recent years. Gartner lowered its 2014 forecast for year-over-year growth from 3.2 percent to 2.1 percent. Similarly, IDC reduced its corresponding estimates for this year, citing geopolitical instability and a broad slowdown in mobile device procurement. The IT pie isn't getting much bigger, despite the need for a much more substantial slice for security.
- When discussing the value of cybersecurity at a recent panel event, Bill Murphy, CTO at at Blackstone Group LP, described it as "a tax that we all don't want to pay, because it's not about furthering the business," according to The Wall Street Journal. Plenty of organizations do pay it, but the perception is still there and it can facilitate complacency and negligence.
With spending growing only modestly, even large enterprises may find themselves in situations in which they cannot effectively respond to an event. The recently released Fifth Annual Board of Directors Survey conducted by EisnerAmper discovered a remarkable separation between rising concern over data breaches and lagging cybersecurity strategies.
An overwhelming majority of respondents cited the C-suite and board of directors, rather than IT and security teams, as the go-to resources during an incident. This revelation is surprising since these organizations were increasingly wary of the growing number of attack vectors, including network equipment, social media and unsecured websites.
Enterprises are right to be concerned about the widening scope of cyberattacks, but they deserve more efficient processes than offloading breach response to their executives. In its 2012 primer "5 Data Security Risks Every Small Business Should Know About," Trend Micro TrendLabs researchers pointed to the varied risks for SMBs, including unattended computers and storage of corporate data on personal devices. According to this report, 64 percent of SMBs felt that their approaches to cybersecurity needed to be overhauled, with current strategies having led to porous access controls, lack of data backup and lax enforcement of relevant policies.
"Directors have recognized the increasing risk companies face related to cyber/data security," wrote Nancy Brady, director of IT risk services at EisnerAmper, in her commentary on that firm's survey results. "Now they need to roll up their sleeves and, with the companies, address these risks."
Moving from pure defense to proactive monitoring for APT security
It's not all bad news on the cybersecurity strategy front, though. Some breached organizations have realized what went wrong and subsequently invested in technical solutions, rather than simply attempting to preserve reputation or paying lip service to protection:
- Target has fast-tracked a $100 million effort to support chip-and-pin payment cards. In the U.S., legacy magnetic strips, which are much less secure than this new technology, have enabled numerous breaches (including the one at Target), so the investment is welcome and promising.
- While IT spending at large is stagnant, security is taking at least some money away from other efforts. Seventy percent of the 101 CIOs who responded to a July 2014 UBS AG survey stated that security spending would be a top budget growth area.
- Stakeholders are realizing that traditional solutions like antivirus and firewalls, while still important, cannot meet all requirements for network and data protection. Strategies are shifting to address the rise of advanced persistent threats and targeted attacks.
Regarding the latter trend, tools equipped with deep discovery and analytics are becoming preferable to ones that rely on older methodologies like blacklisting. The explanation is simple: New threats may be quick to evolve, easy to customize (through widely distributed malware kits) and difficult to counteract with legacy defenses due to their sophistication.
An April 2013 Trend Micro white paper looked at how advanced persistent threats use intelligence gathering, spear-phishing and command-and-control infrastructure to gain access to corporate networks and harvest data for months or even years at a time, all while undetected. APTs alone are reason enough for boardrooms and C-level suites everywhere to make good on their commitments to mitigate risk, by investing in modern network security solutions.
"Standard protection products' signature-based, one-size-fits-all approach cannot deal with the custom nature of targeted attacks and their dedicated perpetrators," wrote the Trend Micro authors. "The malware, communications, and attacker activities used in targeted attacks are invisible to standard endpoint, gateway and network security measures."
Indeed, experts have for years been warning the public about how APTs would alter enterprise security calculus, forcing teams to address determined, specific attacks rather than ones that cast a wide net. With cybersecurity investment still lagging behind reported concern over breaches, it's past time for companies and their security providers to ensure that today's threats are being addressed. Monitoring and analytics solutions can help enterprises economically and effectively respond to risks.