Startling new statistics have emerged from a report stating that just under a quarter of organisations are focussed on preventing cyberattacks, in spite of warnings from security practitioners state this is the best means of protection; the majority is invested, instead into the clean-up after an incident, rather than its prevention.
The report comes from a joint effort of the Ponemon Institute and Deep Instinct, titled “The Economic Value of Prevention in the Cybersecurity Lifecycle.” To test their hypothesis, Deep Instinct and the Ponemon Institute surveyed 634 IT security practitioners from a range of industries, small and large-scale organisations.
The results show that 79% of security budgets were being directed at the detection, containment, recovery and remediation of a cyber breach, rather than preventing that breach in the first place.
Despite 80% of those IT practitioners stating that prevention is the most important achievement in the cybersecurity policy of an organisation, just 21% of the time and resources of the companies polled were investing in the prevention, as well as the subsequent ‘clean up’ job.
Another key finding of the report is that organisations believe they are extremely adequate at identifying a cyber attack, with the report’s authors stating that “Fifty-five percent of respondents say their organisations are very or highly effective at containing attacks in the cybersecurity life cycle.”
The report also states that organisations are making investments into cyber security technologies that don’t actually strengthen their security, and that they’re based on the “wrong metrics,” says the report. “Fifty percent of respondents say their organisations are wasting limited budgets on investments that don’t improve their cybersecurity posture. The primary reasons for the failure are system complexity, personnel and vendor support issues.”
Also an interesting take away from the report is that IT security budgets are considered inadequate. According to the report, “only 40 percent of respondents say their budgets are sufficient to achieve strong cybersecurity posture. The average total IT budget is $94.3 million and of this, 14 percent or approximately $13 million is allocated to IT security.”
According to Michael Hill, Editor of Infosecurity Magazine, “the study determined that effective adoption of a preventative solution, when compared to the current spending of security departments and the cost of attacks, would result in significant cost reductions and require lower overall investment.”
The authors state that “the key takeaway from this research is that when attacks are prevented from entering and causing any damage, organisations can save resources, costs, damages, time and reputation.” The reality of the takeaway, however, is that just under a quarter of organisations were focused on this as a core part of their strategy, while a staggeringly large number of companies remain sitting ducks.
Dr Larry Ponemon, founder and chairman of the Ponemon Institute said that “this study shows that the majority of companies are more effective at containing cyber-attacks after they happen because it is perceived to be more accountable. This explains why cybersecurity budgets focus on containing attacks rather than preventing them, as well as the increased rate of breaches despite investments in cybersecurity solutions.”
“Prevention of cyber-attacks is perceived to be too difficult but as companies continue to suffer revenue losses due to cyber-breaches, we expect budgets to start allocating increased resources to preventative solutions.”
CEO and co-founder of Deep Instinct, Guy Caspi said that a number of companies, if not the majority of them are operating under a policy of ‘assumed breaches’, which assumes that it is more pragmatic to contain a cyberattack after the initial point of penetration, rather than invest time and resources into the prevention altogether.
“This is no longer an economically viable long-term strategy,” Caspi said, adding that “the value of prevention is clear- for any type of attack, prevention saves significant time and money.”