Security budgets are increasing, but so are the number and cost of data breaches.
You’ve likely heard this line before. The concept is simple, but the outcome is puzzling and problematic. Organizations have started to understand the cybersecurity challenge and investments in technology and solutions to combat attackers are continuing to grow. However, many are still experiencing major service disruptions and data breaches on a continuous basis.
In fact, while Gartner analysts predict that internal cybersecurity budgets will grow by 11.3% in 2023—reaching more than US$188.3 billion—studies from IBM show some alarming statistics:
- The global average cost of a data breach is close to US$4.35 million, 2.6% higher than 2021 and 12.7% higher than 2020.
- The average cost of a data breach in Canada was US$5.64 million.
- 83% of the organizations studied have had more than one data breach.
Strengthening your defences and fortifying your systems is the first step to keeping your business resilient. Defence teams need to be aware of and prepared for infiltrations 100% of the time while attackers only need to realize one vulnerability to cause a potential cyber incident. Some attempts will progress past your first lines of defence, but a strong cybersecurity program can detect and mitigate incidents to your organization quickly before significant damage is done.
Barriers to a strong cyber defence
So why is the volume of security breaches increasing despite the additional investment in cybersecurity?
There’s no single answer to the question. Although the multi-billion-dollar, year-over-year investment increase has positively impacted the security posture of many organizations, cyber attackers are regularly updating their tactics to avoid detection. Our team has explored this phenomenon more closely with industry peers, partners, and clients and identified four key issues.
Every year more organizations become subject to new or updated regulations. As a result, regulatory compliance has become a major driver of security investment. However, mandatory compliance can be a double-edged sword. We expect the mandated controls to improve the overall security posture of an organization. But is this just a checkbox exercise or are programs truly formalized and effectively managed?
In a recent example, a manufacturing organization wanted to run a code scan against a custom-built application on an annual basis to meet a compliance requirement. While the investment in application testing is a move in the right direction, integrating and automating testing in the DevOps pipeline would both satisfy the requirement and create a much more effective approach. However, like many businesses, the company’s leadership only approved enough budget to meet the minimum compliance obligations, believing that if they are compliant, they are secure.
This is a common theme. Organizations are motivated to meet regulatory compliance requirements, but these requirements are meant to be the minimum security standard for a foundational cybersecurity capability.
A comprehensive, multi-layered approach is critical, and organizations must question whether the minimum standard is acceptable. Attackers are becoming more advanced and innovative, and with compliance requirements and updates lagging, criminals are finding new ways to exploit systems.
Gartner analysts state that the cybersecurity market was worth $173 billion globally in 2020 and will grow to almost $270 billion by 2026. Significant capital is being invested into cybersecurity technology and services, allowing customers have their pick of security solutions. With that choice comes the process of determining which product is the right fit for your organization based on your unique threat profile and cybersecurity strategy. But rather than making things easier, this multitude of choices can actually make your organization’s situation more overwhelming and complex.
A BDO client was recently inundated on a daily basis with cold calls, LinkedIn messages, marketing emails, and meeting requests from a plethora of security vendors. He said: “I have a small security team running lean; we don’t have the luxury of being experts in every field. We just don’t know how one solution stacks up against another, other than to make a decision based on the vendor who has the best marketing material.”
Unfortunately, this client had the misfortune of being the target of a major distributed denial of service attack which crippled their ecommerce and B2B sales capability. When asked why he chose that specific product he said: “Their sales team was nice, and they did a great job of building a relationship with my team and our executives. I think their solution is great, but I think we may have bought into the marketing a bit too much and lost sight of our objective and whether the solution truly fit our profile.”
With an ever-growing and profitable cybersecurity marketplace, wading through the sea of vendors, tools, solutions, and products is an immense task. It makes choosing the right solution to solve your organization’s specific security problems more challenging.
While 2023 has seen vacancies and layoffs in the tech industry, the demand for cybersecurity talent continues to be greater than the available supply. Organizations are still struggling to employ and retain qualified and capable cybersecurity professionals.
A BDO client in the retail space explained their cyber hiring struggle: “We’ve been trying to hire a competent cybersecurity leader for some time now but have been coming up short. The impact of not having someone to lead the charge is highlighting our lack of direction and the ability to make the right choices and investments. We have money to spend and don’t know how to spend it the right way.”
Without adequate and knowledgeable oversight, organizations who do not dedicate resources to cybersecurity are at a higher risk of having business operations disrupted by a cyber-related issue or misconfigured security controls.
Many organizations may be unsure about steps they need to take to increase their security posture. Between the overlap and contradictory priorities set by various industry frameworks, compliance sets, trend updates, and marketing, they feel like they’re playing a game of cybersecurity ‘whack-a-mole.’ Many try to invest their budget into every capability without knowing how the pieces fit or if they’re getting value from the spend to mitigate risk based on their specific threat profile.
Organizations often focus on threat detection rather than threat prevention when deciding where to allocate their budget. This constantly puts over-extended security teams in response mode and leaves a lack of clarity around current security exposures.
A software service provider shared their experience with budget allocation towards their cybersecurity strategy. The organization had purchased a major anti-malware solution on a C$1.2 million per year subscription. A few months later, their flagship web application fell victim to a software supply chain attack.
They explained: “Because we spent so much of our budget on the anti-malware solution, a decision was made to move our code testing initiative to the following fiscal year and only run one penetration test this year to save budget. I had a hard time explaining to my CEO how the anti-malware solution doesn’t help us against these types of attacks. He told me that he was under the impression that with this solution, all our cybersecurity problems were solved.”
Neglecting security testing and vulnerability identification is alarmingly common. Detecting cyber attacks is good, however avoiding the vulnerability which enabled the attack is better. Application security software testing, penetration testing, red teaming, and vulnerability management are all important programs which are rarely utilized to their full potential. Although budgets are increasing, responsible spending is still critical. It is imperative to implement a sound financial plan which enables your cybersecurity program to shore up defences where potential exposures can exist.
Strategies to elevate your cybersecurity posture
There is no single ‘silver bullet’ solution when it comes to cybersecurity. A holistic, pragmatic approach is required.
Organizations need a better understanding of their threat or cyber risk profile, as well as their capabilities across people, processes, and technology, to uncover gaps and opportunities for efficiencies.
While this can be easier said than done, there are several initiatives your business can undertake to help level the playing field.
Threat modelling is the process of understanding, prioritizing, and addressing risks. As humans, we perform some level of threat modelling every day when we leave our homes, drive our cars, or walk our dogs. We evaluate threats and employ controls to mitigate these risks such as locking our doors to reduce the risk of a break in, driving slower to reduce the risk of getting into a car accident, and dressing appropriately for the weather conditions.
Like humans, each organization is unique. Your business has specific goals, requirements, processes, and technologies. Assessing your risk profile based on a generic framework alone will not accurately illustrate the reality of your cybersecurity posture.
Our BDO team looks to understand your exposures and potential attack paths, allowing us to develop the custom control sets and strategies required to adequately lower risk and mitigate threats. This tailored strategy allows for a practical and cost-effective security posture, providing you exactly what you need to defend your organization.
You’ve purchased security tools, implemented processes, and built an application that your developers say is secure. But how do you confirm your security investments are working as expected?
Security testing allows you to identify strengths and potential gaps from the attacker's perspective. Performing red teaming with BDO’s Offensive Security group allows you to observe the flattened, ‘sum-of-all-controls’ security posture. These real-world scenarios can clarify questions such as:
- When an attacker targets your organization, which controls are effective?
- What is the notification process of a breach? What alerts are generated, who is notified, and how are the alerts actioned?
- Are there controls that thwart attempts to modify or exfiltrate critical data?
- Which systems were patched efficiently and which systems lack the ability to defend themselves?
Testing custom-built applications and networks is incredibly important. These are systems that are unique and tailored to your environment. Which means there isn’t a pre-built strategy with the security fixes and controls needed to protect your configuration. BDO’s DevSecOps program delivers a custom testing suite integrated and automated into your development pipeline, offering some key advantages, such as:
- Allowing your development teams to deliver secure software at the speed of the business and deliver it with confidence through testing automation.
- Increased collaboration and communication between development, operations, and security teams.
- Ensuring that security is built into software from the outset by helping to identify and address security issues earlier in the software development life cycle.
Security tools and control sets come in an infinite number of sizes and capabilities. Once upon a time, there was the concept of buying ‘best-of-breed’ but we now live in the generation of ‘best fit.’ To maintain productivity and mitigate the cyber talent crisis, your technology control stack needs to be easy to use and operate and allow your cyber operators to prioritize their time with important decisions rather than menial tasks. Therefore, the ‘best-fit’ for your organization is likely one that is unified and efficient.
What does this actually look like? Consider the following scenario, in which a company may implement the following “best-of-breed” solutions:
- An anti-malware solution from a single vendor, with its own management console, logging console, management server and agents.
- A data loss prevention solution from a second vendor that uses all the same components required for it to run effectively.
- Security information event management (SIEM) logging and monitoring solution, newly implemented by a third vendor, in an attempt at unifying all this data into a ‘single-pane-of-glass.'
While these solutions stand out individually, they may not work together in harmony, requiring operational overhead and additional licensing costs—ultimately becoming difficult to manage while your team continues to be stretched thin.
How can a best-fit solution better suit your organization?
Finding a unified, consolidated solution that combines independent systems into a single offering with a modular cyber control capability will reduce overhead. While best-of-breed solutions hold inherent value, they may not have the capabilities to positively coincide with other cyber controls.
BDO’s security solutions offer multiple cyber capabilities in a single offering. This reduces the unnecessary management of multiple point solutions, training staff and resources, reducing cost, and investing budget towards incomplete cybersecurity strategies.
Why investments in cybersecurity matter
The cost of data breaches is rising faster than the investments being made by organizations to improve their security posture. Based on this trajectory, if organizations continue with their current strategy of making investments and decisions based on the latest trending technology point solution or regulatory compliance requirements, they will always be one step behind.
Attackers are more sophisticated and adversarial nation states as well as organized crime syndicates are seeing the value in building out hacker groups. Added to this, the continued cyber talent shortage shows that it will be some time before we’re able to get ahead of security breaches. Until then, it is imperative for organizations to have a strong foundation of pragmatic cyber capabilities and strategy that allow them to mitigate threats and reduce risk while allowing their business to remain competitive.
How BDO can help
BDO has extensive knowledge and experience in building, implementing, and executing custom security capabilities in all verticals. Our holistic and tailored approach to solving your unique and specific security challenges can help your organization build a robust security posture without sacrificing efficiency or competitive advantage.
Sources:
Gartner Identifies Three Factors Influencing Growth in Security Spending, Gartner, October 13, 2022: https://www.gartner.com/en/newsroom/press-releases/2022-10-13-gartner-identifies-three-factors-influencing-growth-i
Cost of a Data Breach 2022, IBM: https://www.ibm.com/reports/data-breach
Forecast: Information Security and Risk Management, Worldwide, 2020-2026, 3Q22 Update, Gartner: https://www.gartner.com/en/documents/4016190
Get the latest cybersecurity news
No business can afford to be uninformed or unprepared for digital threats. Get the latest cybersecurity news, insights, and best practices delivered straight to your inbox.