Although difficult to track, cybersecurity spending is likely at an all-time high, and continues to snowball. This year, global spending for security software, hardware and services could hit $91.4 billion, a 10.2 percent jump over last year. IoT security-targeted expenditures remain a sliver of that sum, with Gartner estimating that IoT spending will hit $1.5 billion in 2018. The firm predicts that total will double by 2021.
That doesn’t mean all of that cybersecurity spending is useful. Large enterprises spend up to $300,000 each year on cybersecurity-focused education that frequently warns users to avoid falling for phishing schemes. According to Verizon’s 2018 Data Breach Investigations Report, phishing and pretexting account for 93 percent of breaches. Cisco has reached similar conclusions about the problem. “Our research has shown that despite user training, people still habitually click links,” said Jon Stanford, director, OT platforms and IoT cybersecurity at Cisco Advanced Services.
Meanwhile, easy-to-prevent cybersecurity vulnerabilities are common. Default passwords on IoT devices, for instance, have enabled the Mirai botnet — and its variants — to enslave hundreds of thousands of devices. Default passwords in IoT devices continue to be common, with many of them just a Google search away.
At the enterprise and industrial levels, security spending on security technology often buys gadgets and appliances that do little to protect against cybercriminals. “I cannot tell you how many companies I’ve been to where I walk into their data center, and there are racks and racks of security appliances that are turned off,” said Andrew Howard, global chief technology officer at Kudelski Security. “They’re buying more appliances and solutions than they can possibly use.”
The fact is, it is challenging to come up with a strategic plan for how to achieve the “biggest risk reduction bang for the buck,” said Andy Bochman, senior grid strategist at Idaho National Laboratory in a May interview with IoT Institute. It is difficult for a chief security officer to vet security and equally difficult for a chief financial officer whose job it is to understand what the CSO is asking for represents the best use of money. “How the heck are they going to measure whether it is worthwhile?” Bochman asks.
One of the most common considerations when allocating security spending is to look at the prior year’s investment and to decide whether to increase it. “You could also look to your peer companies and see what they are spending and implementing,” Bochman said. Neither strategy, however, is directly connected to what is happening in the threat landscape.
Some companies, seeing the challenges of allocating security spending, essentially decide more is better when it comes to investing in cyber services and products. “I’m aware of multiple big companies where the cybersecurity leader has an unlimited budget,” Howard said.
Frequently, that spending goes to several bleeding-edge sounding technologies that, first, lacks a proven track record, and, second, may be difficult to integrate with other cybersecurity technologies.
Many companies run into the problem of attempting to try to deploy advanced cybersecurity technologies while they lag in managing patching, access control and studying the threat landscape. “My advice to most companies is: ‘Don’t go buy more things until you first focus on the basics,’” Howard said. That can be hard, given that many companies are working simultaneously to minimize risk while increasing the velocity at which they launch new products and services. “That is the biggest concern of many cybersecurity [professionals]. The business is putting so much pressure on them to get a new product or capability to market that the security group just can't keep up,” Howard added. “A lot of the manufacturers are trying to differentiate their product based on cost, but even adding in bare-minimum security is gonna to add cost.”
The concept of cybersecurity basics includes more than vendor-solutions and cyber hygiene. It involves identifying businesses processes that can’t be allowed to fail for any reason and ultimately devising low-tech or analog-based methods for protecting them.
“Having fail-safes in place is important,” Howard said. An example could be storing data on a local hard drive. “In today's environment, that just seems crazy because of the prevalence of cloud, but there’s some real value to having your data backed up offline.” Another example would be for industrial companies to put analog or hardware-based safety controls in place. “If you have something you don’t want to go above 100 degrees Celsius, you probably shouldn't just check that in software,” Howard added.
In general, organizations should think about what their ultimate fail-safe might be, “whether that’s an offline backup, an analog solution or a human reviewing something,” Howard added. “While these strategies might slow things down potentially, they also add a layer of safety that is hard to replicate.”