Investing Heavily in Cybersecurity Does Not Always Pay Off: Survey

Ricci Dipshan , Legaltech News

Legal professionals have been hearing the same battle cries for some time now: protect yourself, and cyberattacks are more advanced than ever, and reaching record levels. But how does one go about this? Surely, one with a heavily invested cybersecurity infrastructure is insulated from the worst criminals on the deep web, right?

It is a simple proposition, but one that belies the nature of cyberthreats. For nothing in cyberattacks is direct or easy — and for many U.S. business, according to Tech Sentry’s and IDG Connect’s “Strong Security Needs Flexible Software Tools” survey of 211 U.S.-based IT staff, spending big on cybersecurity does not always equate to protection.

The survey found that the vast majority of U.S. companies (88 percent) spend at least $100,000 per year on cybersecurity, with almost half (48 percent) spending more than $500,000 per year. Only 12 percent spent less than $100,000, while 9 percent spent more than $5 million.

The report also cited a Gartner study that showed annual IT security budgets have seen consistent double-digit growth over the last decade with no change expected in the near future. Gartner pegged IT security sending at $77 billion in 2015, and predicted it would hit $101 billion by 2018.

Despite the rising amounts of security investments, however, almost half (46 percent) of respondents admitted their company previously experienced some form of cyberattack. Of the companies attacked, 26 percent were infected with Trojans or viruses, such as botnets or ransomware that severely impacted their business, while 48 percent experienced a similar attack, but were mildly impacted. Only 26 percent said their attack had no impact whatsoever, in part due to the effectiveness of their cybersecurity infrastructure.

So why aren’t cybersecurity investments producing better dividends?

Dodi Glenn, vice president of cybersecurity at PC Pitstop, told Legaltech News that this is in part because the high spend is directed at cybersecurity products offering false hopes instead of at the right platforms.

“Put simply, marketing dollars are being spent in massive amounts, claiming to prevent 100 percent of the attacks in the wild,” she said. “However, this is clearly not the case, as evident by the ransomware attacks slipping through multiple layers of defense. Spending more money on cybersecurity defenses does not directly correlate with ‘better protection.’ Spending the money for the correct products for your environment, however, will provide better protection.”

In a statement announcing the survey, Rob Cheng, CEO at PC Pitstop, also suggested that traditional cybersecurity approach needs to change. “The security problem is getting consistently worse, the consequences are getting consistently larger, and the frequency is growing. It’s time to consider a new architecture—the existing model isn’t working.”

He advised the use of whitelisting technology in cybersecurity defenses, which unlike blacklisting, maintains lists of approved email addresses, applications, websites, etc. that can run on company and client devices. The survey found that 91 percent of respondents would be willing to consider deploying a whitelisting technology, despite the risk of it erroneously blocking good files and programs.

Other cybersecurity and IT experts, however, see the shortcomings of modern cybersecurity defenses as a deficiency in a strategy that focuses on endpoint protection and not network and data behavior.

CounterTack CTO Mike Davis previously told Legaltech News how the “detect and respond” approach, which focuses on “the behaviors of process, memory, and files within the endpoint itself and not the communications,” and “differs from a traditional firewall in that firewalls focus on network traffic, the communications between endpoints and servers,” is gaining traction among IT professionals.

The 2016 State of the Endpoint Report, a survey of 694 U.S. IT professionals released by Countertrak and the Ponemon Institute, found that 95 percent of respondents expected their organization to move towards such an approach in the near future. The report also found that 60 percent of companies focus more on data protection than endpoint security, up from 55 percent in 2015.

Low-Impact CyberThreats? Think Again

Despite heavy investments in cybersecurity, some companies may be missing cyberthreats altogether, such as “the low-impact, commonly distributed threats” Glenn said. “What everyone needs to remember is that any of these pieces of malware could easily establish a foothold within a company. All it takes is for one hacker to gain access and turn it over to someone who would be more interested in the treasure chest of data. It isn’t uncommon for someone to hack into an organization, then sell the pilfered data on the underground market.”

Indeed, the survey found that 59 percent of respondents reported that adware is having a mild impact on their business, while only two percent of IT managers believe they have any serious consequences. Yet according to a white paper by Cybereason Lab Research, low-level threats are evolving into more malicious and dangerous intrusions.

Most companies, however, are hoping to avoid such infiltration by using an array of security solutions, The survey found eighty percent of respondents, for example, deploy two or solutions, while 62 percent saying they deploy at least three.

The most widely used security platform (82 percent) was a network appliance product, such as a firewall or VPN, while 56 percent also use email security hardware that performs filtering and encryption. Over half (55 percent) deploy specific protection against distributed denial of service (DDoS) attacks, and 47 percent use content filtering. Forty-two percent deploy a patch management platform.

Original