By Dennis Hurst
Almost across the board, research indicates that cyberthreats are still escalating—and the U.S. is the number one country targeted in cyberattacks1. Recent breaches that occurred through unexpected means, such as the theft of hoteliers’ customer loyalty-program records, underscore the seriousness of the threat — and the sophistication and wiliness of attackers.
From an economic perspective, the disparities between the value of data and the budgets of organizations is extraordinary. As of 2019, cybercrime was a $1.5 trillion “industry,” globally2, which makes it about the same size as the global construction industry and approximately 50% larger than the global mining industry3 (a top target of cybercriminals; nearly 39% of mining industry personnel receive malicious emails4).
On the “defense” side, the news is dismal. The time to detect breaches has hovered around 200 days for several years, and there is no indication that number will drop. Furthermore, the cost of breaches remains discouragingly high and is increasing. By 2021, cybercrime damages are anticipated to cost businesses and organizations $6 trillion annually, up from $3 trillion in 20155.
Economic Realities; Practical Constraints
With statistics like these, one must wonder why organizational leaders aren’t throwing buckets of money at cybersecurity and hiring entire teams of security specialists. Sadly, many want to do so but find it impossible. Although budgets aren’t being increased in proportion to the threat — organizations are predicted to increase cybersecurity budgets by just nine percent in 20196 — money isn’t the only challenge for firms seeking to increase security manpower.
Business leaders may think their company size and existing security protocols will insulate them from an attack, yet nothing could be further from the truth. Attacks are nearly split between small to midsized enterprises (SMEs; 1-250 employees) and large ones (250+ employees), with large enterprises being targeted a bit more often (57% of attacks versus 43% for SMEs7).
Furthermore, their vulnerability, deep pockets and concern for public image is making organizations an increasingly attractive target. For example, ransomware attacks, which have been notoriously aggressive in the consumer realm, have now shifted to enterprises. In Q1 2019 alone, ransomware attacks on businesses rose a staggering 195 percent over Q4 20188. Compounding the problem, corporate approaches and activities make them easier marks than individuals:
- More than 70 million records have been stolen from firms with poorly configured Amazon Web Services (AWS) Simple Storage Service (S3) buckets9 (AWS is the most popular public cloud platform among businesses10)
- Attacks on supply chains ballooned by 78 percent in 201811.
- The Internet of Things (IoT has become a key entry point for targeted attacks; most IoT devices are vulnerable12.
A Shrinking Pool of Support — and a Better Answer
In addition to all the bad news circulating currently, a major cybersecurity crisis is looming on the horizon. The State of Cybersecurity 2019 Survey by the Information Systems Audit and Control Association (ISACA), a poll of 1,500 cybersecurity professionals with advanced certifications, found that:
- 70 percent of respondents believe their cybersecurity teams are understaffed.
- 58 percent have existing, unfilled cybersecurity positions.
- 32 percent indicate their cybersecurity openings remain unfilled for six months or more.
Fortunately, security-focused organizations and entities are stepping in to help bridge this gap. Some, like the ISACA, offer certification programs designed to help companies elevate the know-how of their existing security staff. Others, including Saltworks, offer company-level guidance and program development, equipping organizations to “grow” other staff into cybersecurity positions — and to build a culture of cybersecurity that allows firms to thrive with more security automation and fewer cybersecurity experts.
With breaches up 67 percent in the last five years, and the average cost of cybercrime, per organization, estimated at $13 million per year12, companies can no longer hope for the best. To these issues, add the growing shortage of qualified staff — and the fact that cybercrime tools and kits are available on the Dark Web for as little as one dollar13 — and it’s evident that firms must seek creative solutions. Inadequate action is tantamount to corporate suicide.
1 Norton Security.
2 Dr. Michael McGuire, Senior Lecturer in Criminology at the University of Surrey, UK
3 BEA; global figures among developed countries that report
5; 13 Cybersecurity Ventures magazine
6 Juniper Research
10 Cloud Security Alliance