When it comes to security, screw the ROI and just do it!

• Should look at security spending as military spending
• Factors are conspiring, a perfect storm in the making

 
IT’S only normal for business leaders to be extremely mindful of the return on investment (ROI) on any money they spend, but that’s missing the point when it comes to cybersecurity, says one analyst.
 
IDC Asia/Pacific associate vice president of enterprise infrastructure and head of IT security research, Simon Piff (pic above), urged business leaders to stop talking about ROI when it comes to security technology.
 
“It’s akin to military spending – you spend the money without looking out for what the ROIs are. There’s no ROI on the air force or the army, you just spend [what is required].
 
“It’s the same thing for cybersecurity – you’ve to stop thinking along those lines,” he said at the IDC Asean IT Security conference in Kuala Lumpur on July 19.
 
“It’s a difficult conversation to have with the board, but you’ve got to understand that it’s not that difficult to be secure,” he added.
 
Security patches and updates, as well as education for end-users, are critical to defend organisations against cyber-attacks. According to Piff, 177.6 million personal records were lost in the top five hacks of 2015.
 
In the first half of 2016, 589 million records have already been lost and the figure is still rising.
 
“We are doing a very, very, very bad job at this – it takes an organisation 140 days on average to discover malware in their system,” said Piff, citing prominent security breach cases like Hong Kong-based toy company VTech and major retailer Target.
 
“Around the world, 1.3 million malware signatures are being discovered on a daily basis,” he added.
 
Perfect storm
 
Meanwhile, Symantec Malaysia systems engineering director David Rajoo noted that the cyberthreat landscape is becoming more challenging, adding that there was a 125% increase in zero-day vulnerabilities from 2014 to 2015.
 
A zero-day exploit is a cyber-attack that occurs on the same day a weakness is discovered in software, leaving the vendor no time to patch the vulnerability.
 
“It is very hard to stop attacks nowadays and blocking threats isn’t enough,” Rajoo said at the IDC event.
 
“Another challenge is the skills gap in the cybersecurity industry – it took me about six months to find a skilled talent in this field. There’s never been a better time for talents to join the cybersecurity landscape.
 
“You put all these things together – the evolving threats, the talent shortage and attackers’ sophistication – and it’s a perfect storm in the making,” he added.
 
Cyber incidents have been identified in the top three of the Global Business Risk for 2016 on the Allianz Risk Barometer, and thus require a lot of attention, especially from the board, said Rajoo.
 
Meanwhile, he said that cyber-insurance is an emerging field since it complements other security technologies.
 
“Having cyber-insurance doesn’t mean you will not be hacked, but the very fact that you have it in place demonstrates that you have done your due diligence on your assets to make sure that they are well-protected,” he said.
 
Symantec threat report
 
According to Symantec’s 2016 Internet Security Threat Report (ISTR), half a billion personal records were stolen or lost, given that many companies aren’t reporting the full extent of breaches within their organisations.
 
In 2015, there was “a record-setting” total of nine mega-breaches, and the reported number of exposed identities jumped to 429 million, the report noted.
 
However, since many companies choose not to reveal the full extent of their data breaches, this pushes the number of records lost to more than half a billion based on Symantec’s estimation.
 
The report also noted that in 2015, there were over one million attacks against web users as administrators struggled to secure their websites.
 
“Cybercriminals continue to take advantage of vulnerabilities in legitimate websites to infect users as nearly 75% of the websites have unpatched vulnerabilities, putting users at risk,” the Symantec report said.
 
Spear-phishing campaigns targeting employees increased by 55% in 2015, while ransomware attacks increased by 35%, as cybercriminals are using encryption as a weapon.
 
“Ransomware – an extremely profitable type of attack, will continue to ensnare PC users and expand to any network-connected device that can be held hostage for a profit,” the report noted.
 
Related Stories:
 
Basic security products don't cut it anymore: IDC
 
Security spending to exceed US$37bil in 2016: Ovum
 
Cybercriminals more patient, eyeing bigger targets: Symantec
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.