The Best Offense is a Good Defense: Investing Your Security Budget for Maximum Protection
By BUFFERZONE Team, 11/08/2015
Businesses around the world – from small start-ups to large enterprises – are racing to stay one step ahead of the bad guys. At least, they’re trying to. Cybersecurity spending is surging across-the-board in every industry (including government), and the worldwide cybersecurity market is expected to hit $75.4 billion this year, $101 billion by 2018, and $170 billion by 2020.
However, despite the increased spending, confirmed data breaches are on the way up; not the way down. According to PwC’s 2015 Global State of Information Security Survey, the number of detected incidents skyrocketed 48% in 2014 compared to 2013, and the total financial losses attributed to detected incidents jumped 34% over the same period.
More Spending = More Gaps?
So this begs the question that, as noted above, is expected to be worth $170 billion in 2020: why is there such a massive gap between cybersecurity spending and actual, reliable protection? In other words, what are businesses getting wrong, despite their best efforts and increasing expenditures?
The problem is that, thanks to a steady stream of headline-grabbing data breach horror stories, businesses have become so used to the idea that cybersecurity prevention isn’t “bulletproof” that they’ve jumped to the other end of spectrum: detection, detection and more detection.
However, while detection might mitigate some of the damage after a breach (though bear in mind that the average data breach goes undetected for 229 days), it doesn’t get money, data, customers or reputations back. In this light, prevention is far more cost-effective and there’s no ROI argument to be had: prevention can literally save a business from disappearing altogether.
In fact, given that the Ponemon Group’s 2015 Cost of a Data Breach Study: Global Analysis has pegged the average cost of cleaning up a data breach at $3.8 million per incident, businesses that don’t spend the bulk of their cybersecurity budget on prevention are courting disaster, and will have a very tough time (read: next to impossible) explaining to irate customers, investors, partners, regulators and lawmakers why prevention wasn’t permanently on the top of their agenda.
Prevention Strategy: Adopting a Layered Approach
With this being said, businesses shouldn’t assume that their existing prevention-based tools are doing the job; because chances are, they aren’t. But it’s not because the tools in themselves are necessarily flawed or out-of-date. It’s because they aren’t working together to cover as much of the attack surface as possible. And that’s where adopting a layered approach makes all the difference.
A layered approach involves implementing defensive measures at the four most vulnerable points on the attack surface:
Because there are so many of them in use, endpoints — and the employees who use them — occupy the largest piece of the attack surface. Some attacks, such as drive-by malware downloads, are broad-based and indiscriminate. Others, such as spear phishing campaigns, are highly targeted and can be quite detailed.
- Company Network
Through the email server, network router, gateway and so on, the company network is where attack traffic enters the system, and typically attempts to establish a foothold before flowing laterally to infect multiple devices – including servers. The network is also where threats communicate back-and-forth with their command and control server; often receiving instructions to download yet more threats, or carry out additional stages of a multi-phase attack.
- Cloud Storage and Applications
There’s plenty to like about storing data in the cloud and using cloud-based apps, such as scaleability, efficiency, affordability, flexibility…and so on. However, security doesn’t make the list, which is why businesses must have adequate controls for safeguarding their data in the cloud, including who (and who doesn’t) have access to it.
- Around Sensitive and Valuable Data
It may seem self-evident (though don’t tell that to the folks embroiled in the OPM breach), but applying protection directly to and around sensitive and valuable data is critical. What’s more, this understanding and focus needs to go beyond thwarting cyber attacks from the outside. A recent CompTIA survey found that old fashioned human error – and not cutting edge cyber criminal activity – was the root cause of 52% of security breaches.
With a layered approach, businesses have the multi-dimensional capacity and visibility the need to prevent, detect, respond and remediate to breach attacks; both those that are attempted, and those that are successful.
But remember: it all starts with smart, strategic prevention. Because on an ever-worsening threat landscape where the costs of a breach are the stuff of nightmares, the best offense that businesses can mount is – without question – a good defense.