I’ve been working in cyber security for around 25 years and for a long time have wondered what we are doing wrong as an industry. Despite all the solutions and experts that exist in the market, and the sizeable budgets allocated to cyber security, how do we still find ourselves in the same position or worse every year?
Let me share a story with you, of something that happened to me a few years back (pre-pandemic) when I was travelling to the USA for business. After landing in the USA, I waited in the security control queue for my passport check, when it was finally my turn I approached the border control officer. I was asked what was the purpose of my visit, I answered, “business”. He responded with – “what kind of business? What do you do?” Proudly I answered, “I am in cyber security”. His response took me by surprise - “So you are one of those guys that keep losing?”. To be honest, I wanted to reply and protect our profession but firstly you don’t argue with a border control officer, but upon reflection, I realised he was right.
Let’s highlight some numbers to support the above claim; according to Statista information[1]– Cyber security global spend in 2022 is expected to have been nearly $160 billion and in 2027 it will reach up to nearly $300 billion.
It’s tempting to think that because organisations are already spending so much (and are set to increase cyber spend) surely that would improve an organisation’s protection and also the cost of a cyber breach to the market will decrease. It would be a fair assumption, but unfortunately that’s not the case. According to the same website, the cost of cyber breaches only continue to increase:
In 2016 it was about $600 billion, and since then it has grown every year. In some cases, it more than doubles every year or couple of years.
For example:
2020 - $2.95 trillion
2022- $8.44 trillion
and is expected to reach $23.84 trillion in 2027
Those numbers are shocking – if businesses are spending more on cyber security, how can it be that the cost of breaches keep rising. To go back to the US border control officer statement, we keep losing because in a way it is an unfair battle – organisations need to block the attackers 100% of the time, whereas the attackers sometimes only need one attack to be successful.
So, the key questions for me are: what are we doing wrong and why is cyber security as it stands, failing?
I believe the main reason cyber security is failing is that organisations are only reacting to cyber incidents. In many cases, they are not correctly utilising their cyber investments for protection. With so many tools that works in silos, and the lack of skilled resources in the market, it is almost ‘mission impossible’.
According to CISO-Portal[2] there are around 50,000 cyber security firms globally, including approximately 30,000 vendors. Each and every one of them is trying to sell their products and services to the clients and many are using marketing techniques to convince prospects that their solution is the best in its area and will prevent the next attack, which potential customers are then buying in to.
Being a CIO/CISO, Head of GRC, Head of Security Operation or any other executive/managerial role in cyber security is not an easy job. They are tasked with protecting the environment but often don’t have the right tools to achieve this.
When I refer to tools I am not talking about specific products or solutions, but the full ecosystem that supports the KPIs security leads are actually being measured against.
The challenge is that most organisations’ cyber security budgets are a percentage of the IT budget. Looking at various sources, the typical budget for IT is about 4% of company revenue and the budget for cyber security is often between 4% and 20% of that IT budget. The difference in the budget size can be related to the industry and the company size, so highly regulated industries such as finance will likely have a larger budget. I believe that organisations consider dedicating a cyber security budget derived from the potential business cost of a breach, particularly now there are discussions around cyber breaches becoming uninsurable[3].
The risk of a breach exists for any organisation large or small and the difference is in the impact of such a breach. According to IBM[4] research the average cost of a data breach is $4.35M globally, while in the United States it gets to $9.44M, research also states that on average it takes 277 days (about nine months) to identify and contain a breach.
After a cyber security breach, organisations could face a range of consequences, including damage to their reputation, legal action, and financial losses. They may need to invest in new security measures, update their systems, and/or hire an outside security firm to assess the damage and ensure that their systems are secure. They may also be required to notify customers and/or regulators of the breach, depending on the situation. Ultimately, the impact of a security breach can be serious and long-lasting, and in the case of a small/medium business (SMB) potentially fatal.
Most of the news about a cyber breach will be focused on large enterprises, but it should be recognised that SMBs are the backbone of the global economy. They provide jobs, generate revenue, and contribute to the economic growth of their communities. But in recent years, SMBs have become increasingly vulnerable to cyber-attacks and data breaches. Unfortunately, many of these businesses are not able to withstand the financial and reputational damage that can result from a security breach.
In the past, the consequences of a breach were primarily limited to the loss of customer data and financial losses associated with remediation and rebuilding trust. But now, the repercussions of a security breach can be far more devastating. In some cases, SMBs have been forced to file for bankruptcy after a breach, unable to recover from the overall impact.
In 2019, for instance, a small business in the UK was forced to declare bankruptcy after a ransomware attack resulted in the loss of all its customer data. The organisation was unable to recover the ransom money and lost a significant amount of income as a result of the breach.
Another example of an SMB going bankrupt after a security breach is the case of a small business in the US that suffered a data breach in 2018. The business was unable to recover from the financial losses incurred due to the breach, resulting in the closure of its operations.
According to Cybercrime Magazine “60% of small organisations go out of business within six months of falling victim to a data breach or a cyber attack”[5]
So how can we make things better and start winning?
I believe the most important step is to understand where the weak points of an organisation’s defence are. As mentioned earlier in the blog, companies invest in security solutions to protect their assets however in many cases those solutions are not fully deployed due to a lack of understanding of their potential attack surface and not optimising configurations to provide the optimum protection level (often due to lack of knowledge or skills).
In a survey held by Ponemon institute [6] with more than 600 cybersecurity experts, 61% stated that they are not getting the full value from their current security investments, 59% stated that they are not effective in identifying and closing gaps in their security, and 53% stated they are not certain that the solutions they have are working as promised and protecting their network and assets.
In the digital world, much like the physical world, to be able to go to war and potentially win, one must have intelligence. No general will go to war without knowledge about their adversary’s strengths and weaknesses and better still if they have the intelligence of what the other side knows about them.
Attackers gather intelligence on their targets, and organisations are doing penetration tests to try and understand that challenge. However, attackers typically have a much wider scope which is not limited to the way an organisation views itself. Companies often define specific budgets to reduce cost, or they are simply not aware of their attack surface. You can’t protect what you don’t know. Organisations need to get better visibility and awareness of their attack surface and one way to do this is through Attack Surface Management solutions.
Attack Surface Management solutions are designed to reduce an organisation's attack surface by providing visibility into their attack vectors, identifying weaknesses, and addressing security gaps. These solutions provide organisations with the ability to identify and analyse the areas of their system that could be vulnerable to attack. This visibility allows organisations to identify and prioritise the most important security issues and take corrective action.
With Attack Surface Management solutions, organisations can take a proactive approach and understand the potential intelligence an attacker will have, intelligence that will be used to try and penetrate their network. By having that knowledge, organisations can define their defence strategy and take proactive measures to reduce their exposure. It is important that the data will always be available and up to date, as any system can be exposed to new vulnerabilities and every organisation’s attack surface keeps changing, especially in this digital world.
Overall, Attack Surface Management solutions provide organisations with the visibility and tools they need to protect their data and systems from cyber threats. By taking advantage of these platforms, organisations can reduce their attack surface and improve their cyber security posture, and finally start winning in the constant battle against hackers.
To summarise, organisations first need to understand their attack surface to improve their ability to protect it, and Attack Surface Management solutions help to expose the unknown. I believe that any organisation can reduce their chances of being breached by better understanding their attack surface and taking proactive action to remediate any gaps using the tools they already have. In many cases organisations made the right investment in a service or a solution, they simply need to make sure they cover their entire estate and are configured effectively.
[1] https://www.statista.com/outlook/tmo/cybersecurity/worldwide
[2] https://www.ciso-portal.com/how-many-cybersecurity-companies-we-have/
[3] https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d
[4] https://www.ibm.com/reports/data-breach
[5] https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/
[6] https://go.attackiq.com/rs/041-FSQ-281/images/REPORT-Ponemon1_vF2.pdf