In the past five years the cyber threat landscape has grown exponentially. Despite developments in cyber security and increases in security budgets, practically every day sees a new high profile security breach being reported in the media.
As a result, a growing number of companies are fast coming to the conclusion that no amount of investment in security can keep them protected, believing that when it comes to combating the cybercrime threat it's a case of ‘when, not if.'
The fact is that companies - and even consumers - are creating, storing and utilising data at an unprecedented rate. And it's this data that the cybercriminals are after. What's more, experts predict that the attack opportunities for hackers will blossom once the Internet of Things proliferates and makes valuable data accessible from an ever-widening selection of entry points.
Clearly, it's time for a rethink. Yet research shows that companies continue to allocate just 1% of their total security technology spend to data protection measures. And they're paying a heavy price for focusing solely on network and device security alone.
A misguided focus on perimeter-based security
Until now organisations have largely adopted a perimeter-based security strategy that's failed to keep pace with evolving attack approaches.
In 2010 companies spent nearly half of their security technology investment (44%) on network security. In the same year, 761 major data breaches were recorded, compromising 3.8 million records. Physical tampering, spyware and data-exporting malware were the top three attack methods utilised, yet little spend was dedicated to protecting the very data that serves as the target for so many attacks.
In 2011 the use of stolen credentials emerged as the top mode of attack, with companies like Sony PlayStation and Steam falling victim to cybercriminals. A total of 855 major data breaches were recorded, compromising 174 million records – a major uptick on 2010 statistics – yet companies continued to invest 39% of their security technology spend on network security. Despite the massive increase in attacks through the use of stolen credentials, companies continued to invest just 1% in data protection.
By 2012 backdoor exploitation had materialised as the hot new threat on the block. In response to the growing cyber threat companies upped their total spend on network security to 43%, with more than a fifth (21%) of budgets going to database security, 13% to endpoint security/anti-virus, 8% to identity management – but once again just 1% was dedicated to data protection.
Fast forward to 2014, during which stolen credentials, RAM-scraping malware and spyware became the most popular modes of attack employed by cybercriminals. Sony experienced yet another major breach and the overall number of data breaches experienced by companies increased dramatically. Overall there were 2,122 major recorded breaches, which compromised 700 million records, yet once again companies failed to shift their security spend accordingly.
In a repeat performance of previous years, network security technology investments continued to take the lion's share of security spending at 38%, with 16% going on application security, another 16% on database security, and 13% to identity management. Contrast this with data protection, which yet again represented the lowest spending category at just 1% of total IT security technology spend.
Evaluating the risks today – and into the future
In 2015 it's clear that cybercrime continues to grow in reach and sophistication as cybercriminals employ new tools and malicious programs to infiltrate corporations and exfiltrate sensitive data such as personally identifiable information (PII), protected health information (PHI) and payment card industry (PCI) information.
In May this year the US tax service, the IRS, reported that cyber-criminals had used one of its online services to obtain tax return information for more than 100,000 households in the country, using stolen PII to gain unauthorised access to tax-agency accounts. Around 15,000 fraudulent refunds were issued as a result. Meanwhile, high profile breaches at Target and Home Depot placed consumers at long term risk of identity theft and fraud.
With the Internet of Things on the horizon and the growing availability of new mobile payment instruments such as Apple Pay, the possibilities for attack look set to increase. Today's technology is advancing apace as new ways to leverage cloud applications and mobile devices come into play. The only factor that hasn't changed is that sensitive data is vulnerable and needs to be secured with data protection technologies and policies that follow a corporation's sensitive data while it's in use, in transit and at rest.
The truth is our data is no longer just confined to networks where it can be protected. And that means organisations need to turn their current cyber-security strategy around, putting the focus on data protection technologies and strategies rather than network security and traditional anti-virus. Until corporations evolve their security methodologies, data will continue to be at risk.
Contributed by Luke Brown, vice president & GM of Europe, Middle East, Africa, India & Latam at Digital Guardian