Published on the 04/04/2019 | Written by Jonathan Cotton
We’re spending more on security than ever, so why do breaches keep rising?…
The results of the Ninth Annual Cost of Cybercrime Study are in and show an expanding cyber threat landscape – despite increased security spending.
The research, conducted by the Ponemon Institute for Accenture shows a flourishing digital economy, an ever-increasing internet dependence and a threat landscape in flux, as techniques, targets and impacts rapidly mutate and business struggles to keep up.
Size, complexity, frequency and cost
According to the report, which is based on interviews with 2,647 senior business leaders worldwide, cyberattacks are increasing in frequency and taking more time to resolve. Organisations have seen a steady rise in the number of security breaches (from 130 in 2017 to 145 over the last year), and that’s having an economic effect.
“The impact of these cyberattacks to organisations, industries and society is substantial,” says the report.
“Almost 80 percent of organisations are introducing digitally fuelled innovation faster than their ability to secure it against cyberattackers.”
“Alongside the growing number of security breaches, the total cost of cybercrime for each company increased from US$11.7 million in 2017 to a new high of US$13.0 million – a rise of 12 percent.”
And businesses grow more complex, 68 percent of business leaders say their cybersecurity risks are also increasing. “Almost 80 percent of organisations are introducing digitally fuelled innovation faster than their ability to secure it against cyberattackers,” the report says.
Supply chains
According to the report, that threat is increasingly manifesting itself in extended supply chain threats, as organisations’ ability to maintain security across the broader business ecosystem is challenged.
“Cyberattackers have slowly shifted their attack patterns to exploit third- and fourth-party supply chain partner environments to gain entry to target systems, including industries with mature cybersecurity standards, frameworks and regulations,” warn the researchers.
That’s an environment executives need to navigate, says the report – or else. Multiple new regulations – most obviously the GDPR, but also others – aim to hold organisations and their executives more accountable for the protection of client data, information assets and IT infrastructure. The GDPR carries a big stick, too: Fines of up to US$23 million (or four percent of annual global revenues) are on the table, with French data regulator, CNIL, already having issued a US$57 million fine – the largest fine so far.
All too human
And with so much to lose, where does the buck stop? That’s something that still needs to be discussed asserts the report.
“Today, the security function is largely centralised and its staff are rarely included when new products, services and processes – all of which involve some sort of cyber risk – are being developed.”
“Such a siloed approach can result in a lack of accountability across the organisation and a sense that security is not everyone’s responsibility.”
Only 16 percent of CISOs said employees in their organisations are held accountable for cybersecurity today. That’s a situation that cannot continue, says the report.
“Providing ongoing training and skill reinforcement – for instance, with phishing tests – is essential, alongside training and education. Employees need the tools and incentives to help them to define and address risks.”
“New work arrangements – greater use of contractors and remote work – make the need for employee training more urgent. Even so, training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets.”
Next steps
All is not lost, however. The report offers three steps to better cybersecurity, and it starts at home.
“Counteracting internal threats is still one of the biggest challenges facing business leaders today,” says the report. “Increases in phishing, ransomware and malicious insider attacks mean that greater emphasis needs to be on nurturing a security-first culture.”
The report urges business leaders to conduct regular training to reinforce safe behaviors “both for people within the organisation and across the entire business ecosystem.”
“Partners, third parties and relationships are growing as a result of conducting business electronically. Organisations should work with these ecosystem partners to jointly protect and defend their operations. The people involved are not always the people within an organisation.”
Next, says the report, limiting information loss and business disruption is an area worthy of investment.
“Information protection is at the heart of trustworthy business practices, and it is essential to defend against business disruption. Taking a data-centric approach to security adopting data loss prevention technologies and using cryptographic technology extensively can all help to reduce the cost of cybercrime.”
“Enhancing security measures around the handling, maintenance and sharing of information can shift an organisation’s approach to information loss from damage limitation to robust proprietary practices.”
Finally, target rising security costs with better tech.
“Unsurprisingly, as the number of cyberattacks grows, so discovery costs are rising – and breakthrough technologies could be the answer to finding and reversing this increasing expense.”
“Investments in enabling security technologies, such as security intelligence and threat sharing, can help to reduce the cost of cybercrime. Cloud services can make the investigation of cyber threats more efficient. Automation and advanced analytics can be used to investigate cybercrime and enhance recovery efforts, as well as being applied to supplement the work of scarce specialist security personnel.”
Click here to read the Ninth Annual Cost of Cybercrime Study.