Last year, the private sector spent more than 75 billion dollars on security software. But have systems and data become any safer?
Many analysts say they haven’t, and not because the latest software is worthless. The reason is that the “bad guys” have learned a whole lot over the past few years. Data theft has become increasingly common in the last two years, and one of the most sinister new problems to emerge is ransomware. This type of computer malware installs itself on a victim’s computer and then demands a ransom payment to restore important data the thieves have encrypted or stolen.
According to Gartner and other analyst firms, spending on security software will increase by about seven percent over the next few years (and this doesn’t even include the billions that banks will spend on fraud prevention). Also, many companies are not yet using new technology such as security analytics. What’s more, with the growing popularity of cloud computing, valuable company data is often stored outside the four walls of a secure data center, making it easier than ever before for hackers to make money from employees’ personal data or company secrets.
“We’re always playing catch up”
“I don’t think enterprises have gotten worse at cybersecurity, but they are dealing with complexities that they didn’t have to deal with 10 years ago,” explains analyst Robert Westerveld of IDC in an interview with the U.S. magazine «Computerworld». “It’s two steps forward, and then external factors make you take a step back. It’s a neverending story. We’re always playing catch up.”
Patrick Moorhead of Moor Insights & Strategy sees things through a more critical lens. “The private sector isn’t doing nearly as much as they should and could be doing with security,” says Moorhead. According to the expert, there are tools out there that protect identities and files, but unfortunately no one uses them. Companies just make excuses for their negligence instead.
The biggest risk, even in the case of ransomware, continues to be human error, says Jack Gold of J. Gold Associates (author’s note: these one-man analyst firms always have such funny names). “Companies spend massive amounts on securing against outside threats, but a simple email message containing a hack can bypass all of that.” Another problem, according to Gold is that companies are lagging behind in providing security patches by a good six months. “That’s like leaving the front door unlocked when you know burglars are in the neighborhood.”
Too many unreported cases
The private sector’s security dilemma has become even more complex because companies don’t want to reveal publicly that they’ve been hacked for fear of losing customers and investors. Experts estimate that the number of unreported cyber-attack cases is much higher than the number of attacks publicly acknowledged. And when customers, often financial service and telecommunication providers, use new security systems that successfully prevent attacks, they don’t want to admit it for fear of attracting new hackers.
In a recent, anonymous survey conducted by the Ponemon Institute of 3,000+ IT employees and end users in companies across the USA and Europe, 76 percent of those surveyed indicated that they had been a victim of data loss or theft in the last two years—a significant increase from the 67 percent reported in a similar survey two years previously. Of the 1,371 end users surveyed, 62 percent said they have access to company data that they probably should not see.
The IT employees surveyed viewed user accounts as being more than twice as likely to be compromised by insider negligence than by other factors such as third-party attacks or revenge tactics carried out by disgruntled employees or contractors. Furthermore, Ponemon explains that the situation is becoming even more critical because employees and third parties have access to much more data than is necessary. Moreover, companies are not exercising sufficient vigilance in monitoring activities related to email and file systems—where most of the sensitive data is located.
The level of security in place also depends on the industry. Healthcare has a particularly bad reputation, in particular hospitals. IDC recently published a report showing that hospitals, universities, and energy suppliers score badly when it comes to their ability to protect data and execute a data protection plan.
“It’s a question of priorities”
Analysts conclude that the private sector will have to continuously change and develop in order to keep up with cyber security. “For companies, it’s a matter of paying attention,” explains Gartner analyst Avivah Litan. “Companies don’t spend enough time and money on the problem. They don’t think they need to. It’s a matter of priorities.” Attacks are getting worse all the time despite better security software, she adds. “Basic technology must be put in place. We all really live in a bad neighborhood and we all need locks on the doors.”