Breaches have companies spooked, investing in security

It’s only natural: Following a major security breach, IT is going to be pretty concerned that they could be next. And judging by increases in spending, plenty of decision-makers are worried as well.

Across the board, respondents to a new Ponemon and Identity Finder LLC survey reported their concerns about breaches following high-profile attacks shot up. Most also said it had some real concrete impacts on the bottom line – they increased spending on security incident and event management (50%), endpoint security (48%), intrusion detection (44%), encryption and tokenization (38%) and more.

(Interestingly, only 11% saw a path to better security through increased antivirus or anti-malware, highlighting its fall from grace for IT. This despite malware being the most popular method of intrusion.)

Despite improvements in budgets, not everyone is optimistic that it’ll be enough to save them from future breaches. Only two-thirds (67%) of companies felt their security budgets were adequate to protect against attacks.

Breaches aren’t brief

Perhaps one reason many organizations were pessimistic about security is that so many of them have been victims in the past. Almost half (45%) had experienced a data breach in the past two years, and getting to the bottom of when and how that breach happened wasn’t easy:

  • 16% discovered the breach within six months
  • 21% found out about it within a year, and
  • 18% took two years to discover it.

Alarmingly, 20% of companies weren’t able to firmly nail down how long it took to discover the breach at all. And 55% couldn’t tell where or how the breach occurred. (Of those who did determine it, however, on-premise data centers were slightly more likely than off-site data centers or the cloud by 32% to 30%.)

Prevention, not spending

No one should mistake security spending for security itself. It’s entirely possible to have enormous security budgets and still have breaches (as was the case with JPMorgan recently). The important thing is to spend wisely and carefully.

According to the Ponemon survey, those who had suffered a breach attributed it to evasion of current security controls (65%) more than budgetary constraints (37%). For comparison, that was closer to the lack of in-house security expertise (35%).

Getting help for security

Boosting security on a budget is possible, just as falling victim to hackers on a massive budget is.

The most important thing is to focus on the spots you’re most vulnerable. For many, if not most companies, that’s the end user.

Make sure users are well-trained and aware that breaches can occur if they’re not careful with their passwords, able to spot phishing attempts, etc. Added security training isn’t always an easy sell, but it is usually easier than adding newer security systems to your budget.

Also crucial: having good techs on your team. Security pros are in high-demand, and command huge salaries as a result – even if their skills are worth the extra investment.

If you’re not able to budget for these highly skilled employees, make sure you’re able to provide your team with the training they need to better detect and prevent intrusions. A little added training could have huge benefits.

Finally, make sure in areas where you are going with outside vendors that you can trust them to be diligent about protecting your security. The best argument for vetting supplier security: Remember that Target wasn’t taken down by a malicious insider, it suffered a monumental data breach because of a supplier being hacked.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy