Month: April 2022

The damage cyberattacks cause organizations is on the rise, costing them millions. Although cybersecurity spending is projected to increase dramatically, CISOs must structure their cybersecurity budgets based on their organization’s needs, vulnerabilities, and swiftly evolving trends such as the shift towards remote/hybrid work and a growing reliance on cloud services. Read on to discover the key current factors driving cybersecurity budget prioritizations. 

 

The rising cost of cybersecurity breaches 

 

 A report by the Identity Theft Research Centre noted that data breaches in 2021 exceeded that in 2020 with an estimated 281.5 million people affected. The cost of this is monumental, especially for businesses. The average cost of cybercrime amounts to $1.79 million per minute for businesses, highlighting the impact that cybersecurity has on an organization’s operations.  

It is no surprise then that cybersecurity budgets are on the rise each year in line with this evolution. Approximately 44% of IT professionals cited improving cybersecurity as a justification for increased IT investments according to the ESG research report on its Technology Spending Intentions Survey in 2022. 

   

In fact, cybersecurity spending is growing at a faster rate than overall IT spending, with 44% of security leaders expecting their budgets to increase in the next 12 months according to CSO’s 2021 Security Priorities Studies. This is in line with the findings reported in PwC’s 2022 Global Digital Trust Insights report stating that 69% of organizations predict a rise in their cyber spending for the year.  

Additionally, tech research firm Gartner projected that spending on information security and risk management will top $172 billion in 2022, a $17 billion increase from 2021 and $35 billion more than in 2020.  

In 2021, Microsoft announced a $20 billion cybersecurity budget over the next five years while Google CEO Sundar Pichai announced that the company is investing $10 billion in that same period. 

 

Cybersecurity spending priorities 

 

Though the projections for cybersecurity spending increase each year, it is still limited. As CISOs grapple with increased risk, they are also searching for ways to spend their funds most efficiently.  

One way to do that is to understand the threat landscape and needs of the organization. In the last three years, Gartner predicted the top five areas to show security spending growth are application security, cloud security, data security, identity access management, and infrastructure protection.  

Current developments will also affect budget priorities. In the two days following the start of the Russia-Ukraine war, suspected Russian-sourced cyberattacks were observed by US-based cybersecurity agencies, an increase of over 800%.  

In March, the hacker group Anonymous warned that it would attack major corporations that have not pulled out of Russia since the war began. It was later reported that the group had hacked Nestle and leaked over 10GB of important data including client information, emails, and passwords. Other organizations that were targeted include Burger King, Subway, and cloud computing firm Citrix. 

The US Department of Homeland Security, FBI, and others have issued warnings for organizations to be prepared for further threats. 

 

Cloud Security is a key focus 

 

The global pivot to remote work catalyzed by the COVID-19 pandemic has redefined many organizational structures and led to a growing reliance on cloud services and digital tools, leaving them vulnerable to different types of cyberattacks.  

An IDC survey by Ermetic found that 79% of companies experienced at least one cloud data breach in the last 18 months. This is alarming given that 92% of an organization’s IT environment is cloud-based, making cloud security a key concern for CISOs and other C-level professionals.  

Unsurprisingly, CISOs are prioritizing cloud security, which would drive budget priorities. According to ESG, 62% of the IT personnel surveyed said they are planning to increase spending on cloud application security while 56% said they are investing in cloud infrastructure security.  

   

We have also found, as shown in our latest Cybersecurity Investments trend report, that 60% of CISOs and their C-level counterparts are focusing on cloud security, specifically third-party management and resilience or Zero-Trust Architecture. Many of the organizations interviewed also noted that they are looking to expand their cloud solutions and adopt a hybrid cloud, thus enabling them to secure their processing data on-site.  

 

Employee Awareness can reduce security risks 

 

Another area of focus for CISOs is employee awareness, with 58% of organizations citing it as a key focus of their cybersecurity strategies. A Ponemon Institute study showed that 68% of organizations have experienced at least one endpoint attack, compromising their IT infrastructure and data.  

Similarly, IBM found that a staggering 95% of cybersecurity breaches were caused by human error.  

As Mika Susi, former Executive Director of the Finnish Information Security Cluster said: “Many times, humans are said to be the weak link in cybersecurity. Recently, we have also seen many attacks using an organization´s supply chain and partners as weak spots to get access to their network.” 

Eliminating that factor would mean that 19 out of 20 cybersecurity breaches may not have occurred at all. Though it would be impossible to solve human error completely, it is crucial to implement strong policies and training programs to equip employees with the right knowledge and tools to avoid potential cyber threats, which would decrease security-related risks by as much as 70%.  

One of the challenges with improving employee awareness is that there hasn’t been enough of a focus on building a culture within organizations to identify risks.  

“As I see it, organizations often put too much emphasis on having a formal three-part structure of control and reassurance, and far too little emphasis on building an actual culture that identifies and steers risk as part of its DNA. Of course, building a strong culture of security and implicitly, a risk culture – means including all employees, from the CEO to the bottom-rung shift worker, from the service partner to the short-term consultant. Including all the human risks and employees is key to making an actual risk-based culture,” says Magnus Solberg, VP & Head of Security Governance at Storebrand. 

Implementing a bottom-up approach to training employees to think in and act in a risk-based manner is one way to mitigate the human factor, says Mr. Solberg. He also suggests arming employees with tools to perform more structured and documented assessments, both mental tools as well as stronger policies, guidelines, and software.

 

Cybersecurity resilience and readiness 

 

At the same time, cybersecurity leaders are actively searching for new strategies to quickly detect and respond to cyber breaches.  

In 2021, there was a major surge in cyberattacks compared to previous years. According to SonicWall’s Cyber Threat Report, there was a 105% increase in ransomware attacks that year from the previous year. Narrowing down, government institutions saw a 1,885% increase and the healthcare industry saw a 755% increase in such attacks. According to Sophos’ State of Ransomware 2021 report, retail, education, and business & services sectors were hit with the most ransomware attacks.  

 

 

In July 2021, Swedish supermarket chain Coop was forced to shut down over 400 stores due to a major ransomware attack on its point-of-sale systems. This was part of the same ransomware attack which affected over 200 businesses, mainly in the US. More recently, several oil storage and transport companies across Europe were hit with ransomware attacks. Specifically, Oiltanking in Germany, SEA-Invest in Belgium, and Evos in the Netherlands were all forced to operate at limited capacity due to the attack. 

Sophos’ report also revealed that, on average, it costs an organization a total of S$1.85 million to recover from a ransomware attack, up 143% from the previous year. The findings also showed that only 8% of organizations that fell victim to a ransomware attack were able to recover all their data after paying a ransom. Approximately 29% only managed to recover no more than half their data.  

Beyond that, a recent survey found that 66% of respondents suffered a significant loss of revenue following a ransomware attack while 53% reported that their brand images were negatively affected. Alarmingly, 29% said ransomware attacks led to employee layoffs.  

The cost of a ransomware attack or recovering from other forms of cyberattacks could set organizations back a major chunk of their budgets if they are not prepared in advance. In fact, the increased cost of ransomware attacks has also driven up premiums on cyber insurance policies, adding to the need for organizations to be financially prepared.  

CISOs are constantly looking for ways to strengthen their organization’s ability to resist and recover from a multitude of threats, which in turn informs their cybersecurity investment priorities. What other factors should organizations consider when setting their cybersecurity budgets?