Are you investing your security dollars in the right places?

With all of the knowledge and solutions available, why are breaches growing in number and intensity? Mike Vamvakaris, Director, Cyber Security Consulting, TELUS Security points to a few reasons:

• A growing attack surface – more entry points to data

• Changing threats – different, more malicious ways of targeting data

• Growing number of vulnerabilities – hard to track and identify weaknesses

• Technology complexity – solutions aimed at protection create management challenges

• Resource scarcity – hard to find and retain the right skills

Mike Vamvakaris was one of the key presenters at this year’s BC Aware event. He began his discussion by outlining the security challenges arising from a business environment in flux as a result of digital transformation.

• 35% of organizations experienced a ransomware attack in 2017, with business disruption of an hour to a day or more

• Costs of a breach rose from $86,000 to $5.78 million

The spending paradox

Companies are spending on IT security. In fact, in 2017, 73% of organizations increased their IT security spends, up from 58% in 2016. However, 68% experienced a breach, with 26% having been breached in the past year.

How is that possible? IT security spending is rising, yet so are breaches.

According to Vamvakaris, it’s because investments are misaligned with cyber threats. Most organizations still take a technology first approach, without any real long-term plan. Culture is largely overlooked, with a lack of management buy-in and leadership and poor employee engagement.

His recommended solution? Holistic security. Organizations need to build an ecosystem – which means that technology solutions, processes and people work together within a framework. The National Institute of Standards and Technology (NIST) has designed an excellent security framework that covers the spectrum of security actions (progressive steps and layers of technology) including identify, protect, detect, respond and recover. Many organizations are turning to outsourced providers to help them adopt frameworks like NIST and ensure compliance.

Attendee reaction

Upon hearing that $1.3 billion is being spent on security technology, with only $43 million being spent on security awareness, many attendees realized their own investment disparities.

In conversation with several attendees after his presentation, Vamvakaris noted that many felt that they weren’t doing as much as they could in terms of security awareness and training. The disproportionate spending on technology vs. training didn’t come as a surprise to them when reflecting on their own experiences.

Many wanted to know Vamvakaris’ take on the spending inconsistencies. In his view, cyber security includes technology, but also encompasses risk management and tolerance. Educating employees as a first line of defense is critical. More and more organizations are realizing this the hard way, as they continue to get breached despite significant technology investments.

In an ongoing era of the security technology provider hard sell, many organizations have unfortunately bought into the technology myth, thinking that this solution or that solution is the silver bullet. As attacks continue to intensify and proliferate, many are questioning this mindset.

There is a shift in progress toward cyber security culture and awareness. And Vamvakaris maintains that it's a transition that is long overdue. Training employees to enhance the organization’s overall cyber security IQ is vital as phishing continues to be the preferred infiltration method.

Aware and vigilant employees are essential for improving both the security posture and the security brand within an organization.

How much are you spending on your security awareness? Are you prepared?  Let us know in the comments below.

To learn more about cyber security best practices and why a holistic approach is a strategic way to stay secure, read IDC’s January 2018 InfoBrief: A Framework for Effective Cyber Security, or visit telus.com/businesssecurity.