In the midst of the digital revolution that is currently underway, bad guys are trying to take advantage and exploit individuals and business alike. No one is immune to cybercrime. In a recent study, out of 1,100 Chief Information Security Officers (CISOs) polled, 68% have experienced a breach, with 26% of those experiencing a breach during the last 12 months – both numbers climbed compared to the previous year. Despite all efforts, almost one third (30%) still considered their organizations as ‘very vulnerable’ or ‘extremely vulnerable’ to a data breach, and the number of such incidents keeps soaring. In this cat-and-mouse game, organizations are simultaneously enhancing their arsenal to keep up with rising threats. 73% of organizations increased their IT security spending in 2017 – up from 58% in 2016.
The prime driver for boosting investments: compliance
The motivations for lifting the security spending are different, but the key driver remains unchanged: compliance. Almost half (44%) of the participants quoted compliance regulations as their top spending priority, followed by best practices (38%) and protecting reputation/brand (36%). 59% also believe compliance is ‘very effective’ or ‘extremely effective’ at preventing data breaches.
As much as these compliance requirements help map out a cyber-security landscape, they are not at all the sole contemplation when creating a defense strategy vigorous enough to combat today’s sophisticated attackers.
External and internal cyber actors the top threat
Across all vertical industries polled cyber-crime was listed as the top threat (44%), followed by hacktivism (17%), cyber-terrorism (15%) and nation-states (12%). As far as internal threats go, 58% of the participants believe privileged users are the most dangerous insiders (which is slightly lower than last year’s 63%). Cited by 44%, executive management is seen as the second riskiest insider group. This was followed by ordinary employees (36%) and contractors (33%).
Digitization requires rethinking the threat landscape
Organizations drive their digital agenda at a fast pace and encourage new ways of working, but many fail to adjust their defense strategies accordingly. What might have worked in the past, is not necessarily most effective in an evolving threat landscape going forward. A recent study by BMC and Forbes revealed, that as much as 69% of senior executives believe digital transformation is forcing fundamental changes to security strategies. Another 68% plan to enhance incident response capabilities in the next 12 months. With the average data breach costing US$4 million, it’s perhaps not really surprising that 82% of executives across Europe and North America will again rise their security investments in 2017.
The average organization encounters between 11-20 incidents per day
The frequency of incidents is far greater than most people assume. Another report concluded that the average mid-sized organization (1,000–3,000 employees) encounters 11–20 incidents on a single day. Larger organizations (3,001–5,000 employees) are slightly busier, with the median at 21–30 incidents per day. The largest organizations (more than 5,000 employees) are busiest, with the median at 31–50 incidents daily.
The number of senior executives concerned about their organization’s vulnerability is surprisingly high – if not alarming. Investments have been increasing for years, and yet, many organizations still seem to be fairly unprepared. Compliance remains the driving force that motivates increased security spending for most organizations. At the same time, incidents occur a lot more often than most people can imagine. In an ever-changing digital world, organizations must rethink their security strategy and constantly enhance their arsenals as they have to cope with new kinds of threats, increased frequency and more sophisticated cyber-attacks.
- How BMC Remedy Brings Value to SecOps
- Vulnerability Management in 2017: Context is King
- Cloud Security Issues: Tips For Minimizing Risk
- Four Essential Tips for Cloud Security
- IT Compliance vs IT Security: What’s the Difference?