How to balance your cybersecurity budget
AT&T report shows how businesses are allocating security investments
It’s the middle of the intense fourth-quarter budgeting season, and CIOs are confronting the same cybersecurity questions that vex them every year: how do you fight an enemy that constantly changes its tactics?
Recent trends indicate that doubling down on training, threat detection analytics, response and perimeter defenses are the wisest options. Organizations are also investing in cybersecurity insurance, although perhaps without making the requisite accompanying investments in prevention and response.
Personnel costs will continue to spiral as nearly half of organizations confront “a problematic shortage of cybersecurity skills,” according to Enterprise Strategy Group. Technology – and user training – can mitigate this expense.
AT&T Cybersecurity Insights
The latest AT&T Cybersecurity Insights report found a disconnect between investments and actual risk at many organizations.
One of the biggest is in training. Just 61 percent of organizations – and even fewer in the high-risk financial services industry - require employees to take cybersecurity awareness training. That’s despite the fact that more than half admit to having been hit by attacks that originated with employee mobile devices. Four of the top six most serious perceived threat areas relate largely to human error, including unauthorized access to corporate data, theft of proprietary information, ransomware and compromise of mobile devices.
A new concern at the perimeter is the Internet of Things (IoT), which more than one-third of respondents to the AT&T survey said was a primary breach source within the past year. Any organization that is starting to deploy smart sensors at scale should look into the emerging class of specialized IoT security technology in areas like network defense, authentication and encryption.
Security analytics is another growing area of promise that deserves investment consideration. Four out of five respondents to the AT&T survey said their organizations have been breached within the past year, indicating that detection and response are at least as important as prevention.
Attackers typically lurk undetected for months as they siphon away data. Security analytics addresses this problem by applying machine learning techniques to log data to spot suspicious patterns such as large file transfers or repeated login attempts. Small and midsize businesses should pay particular note, since many lack the staffing and expertise to conduct these analyses manually. A study of small business IT managers by Vipre Security found that nearly half prepare security reports manually, which is an unsustainable approach given growth in the volume of data that needs to be analyzed.
One area that probably deserves less investment than it’s currently getting is cybersecurity insurance. AT&T found that 28 percent of organizations plan to allocate all or most of their cybersecurity budget to insurance next year, and that figure rises to 43 percent at tech companies.
Insurance is a reactive tool that covers some costs only after the damage is done. Depending on the policy, it may not address business-related losses, such as downtime, reputational damage or customer attrition. Insurance companies also want proof that a policyholder has adequately protected itself before paying out settlements. For that reason, insurance should be viewed as a complement to – not a replacement for – good security practices.
The stakes are growing as attackers become more sophisticated and seek higher-value spoils.
“Cyber-incidents are capable of causing an enterprise to collapse," said Christos K. Dimitriadis, group director of Information Security for INTRALOT, in an interview with CIO.com. That means the annual security budgeting process is now a matter of existential importance.
Learn more about balancing your company's cybersecurity budget in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."