Despite billions spent on cybersecurity, companies still aren’t truly safe
23 August 2016 | 0
Last year, private sector companies globally spent more than $75 billion (€66 billion) on security software to safeguard their systems and data.
That number is expected to grow about 7% annually, according to Gartner and other analyst firms. It does not include the massive amounts spent on fraud prevention by banks, a number that is widely underreported and expected to reach into the billions annually.
Has all that spending made private sector data and systems any safer? Is customer personal data any safer?
The general answer is no, according to many analysts, but that is not necessarily because the latest software is considered ineffective.
As security software has grown more sophisticated in recent years, so have the bad guys. Data breaches have soared in the past two years. One of the worst problems is ransomware, where hackers demand payment to return sensitive data they’ve stolen or locked up to the rightful owner.
In interviews, four analysts said cybersecurity is a huge challenge because the bad guys are getting smarter. In recent years, the smartest hackers have found ways around some existing security software, especially signature-based antivirus (AV) software. Signature-based AV compares signatures of files on a system to a list of known malicious files, while the use of behaviour-based AV is growing in popularity because it watches processes in a system for signs of malware and then compares those signs against known malicious behaviours.
The analysts listed a number of concerns. Many companies are not yet deploying new approaches, such as security analytics, to detect suspicious events. Security analytics refers to gathering and linking diverse kinds of security event data and using advanced techniques like machine learning or neural network models. The growth of cloud computing has also put sensitive enterprise data outside the more secure data centre. Sometimes workers inside companies are not properly monitoring their security software or setting up sufficiently protective cybersecurity policies.
“Companies are worse off by 100% [with cybersecurity] compared to 10 years ago because the world is more complicated now,” said Gartner analyst Avivah Litan.
“We are safer in a way, but criminals — the advanced ones— can still get through. Companies have definitely raised the cybersecurity bar, but criminals can keep going higher than the bar. It’s a cat and mouse game, and when you put in a trap, they find a new technique.”
Despite billions of dollars spent on signature-based antivirus software, for instance, today’s smart criminals can beat it, Litan added.
Hackers have huge financial incentives to resell employee personal information or corporate secrets.
“Basically, all that sensitive data that was seized is out there to resell and use to target companies,” Litan said. “Thieves set up money laundering accounts to funnel the billions that are stolen every year, and it is now much easier to get money and intellectual property out of the system.”
Always playing catch up
Litan’s view is based on 12 years as a security analyst, and other analysts tend to agree with her. One of the more hopeful ones, Robert Westervelt of market research firm IDC, said he sees a bright future for enterprise security, even though the road is fraught with difficulties.
“I don’t think enterprises have gotten worse at cybersecurity, but they are dealing with complexities that they didn’t have to deal with 10 years ago,” Westervelt said. “It’s two steps forward, and then external factors make you take a step back. It’s a never-ending story. We’re always playing catch up.”
One of the more critical voices is analyst Patrick Moorhead of Moor Insights & Strategy. “The private sector isn’t doing nearly as much as they should and could be doing with security,” he said. “The tools are available for identity protection and file protection, but the reality is that they aren’t using them. It used to be that software wasn’t available, but that is no longer the case and, really, enterprises are just putting up excuses at this point.”
Jack Gold, an analyst at J Gold Associates, said security in the enterprise is always evolving. “As security covers up one flaw, another is found and exploited by the bad guys,” he said. “There really is no way to assure 100% security as we’ve seen numerous times.”
Human error factor
Human error is the biggest risk factor, as in the case of ransomware.
“Somebody clicks on a file he or she shouldn’t have and it infects the system from the inside,” Gold said. “Companies spend massive amounts on securing against outside threats, but a simple email message containing a hack can bypass all of that.”