Increased corporate spending on cybersecurity, but to what avail?

Originally written for CyLon Accelerator in 2017.

As of March 14, there have been 312 data breaches in 2017 alone, which have compromised a combined total of more than 1.3 million records.

In 2016, ransomware attacks quadrupled to 4,000 per day, according to the U.S. Department of Justice.

The Ponemon Institute has pegged the average annual cost of cyberattacks to companies worldwide at more than $9.5 million.

These are all worrying stats, right? I mean cyberattacks seem to be ramping up in numbers and intensity each year. The numbers are staggering!

Apple? Breached.

Facebook? Breached.

Those disappearing photos you post on an app called Snapchat? They’ve been hacked.

British Airways? Busted.

Even bookstores aren’t exempt! Sixty three Barnes & Noble stores were hacked into and their customer data stolen. What about the banks? J.P Morgan Chase, Citigroup, Tesco Bank, just to name a few, have all experienced data losses. Surely the government has the right protection in place? Well, sadly that’s not the case either. Anyone not remember the hacks into the Democratic National Convention? The one that some people argue cost Hillary Clinton the election? And then you have the Australian Immigration Department who accidentally published passport details of all the G20 world leaders. Oops. Even the IRS was hacked into and 720,000 tax records were stolen.

Well, enough talk about the data breaches. Hopefully by now we’ve all realized that no industry has been spared. No company, no matter how big or small, is being left out. So what are the corporations doing in order to protect themselves from cyberattacks? How are companies preparing themselves for cyber-warfare? What do they have in their arsenal to stop the continually evolving cyberthreat landscape?

For one, corporations have started to spend increasingly more on cybersecurity tools and services. According to PWC, 2016 saw UK organizations more than double their information security budgets, spending £6.2m on average (compared to 2015s average of £3m). The International Data Corporation predicted that in 2016, organizations worldwide would spend an estimated $73.7 billion on cybersecurity, a number that they predict will increase to $101.6 billion by 2020.

J.P. Morgan Chase budgeted half a billion dollars to spend on cybersecurity for 2016 alone. This may seem outrageous, but when considering that financial services firms are 300 times more frequently hit by security incidents, it makes sense. But despite the large figure, the bank reported “still feel[ing] challenged” to fully equip themselves to cyberthreats. Other banks are not far behind, with Bank of America, Citibank, and Wells Fargo pledging to spend exorbitant amounts on security. According to the Homeland Security Research Corp., the 2015 U.S. financial services cybersecurity market reached $9.5 billion, making it the largest non-government cybersecurity market.

Earlier this year, Cybersecurity Ventures published a market report that predicted global cybersecurity spending to exceed $1 trillion from 2017 to 2021. Whew! And still not enough. They also predicted cybercrime damages to cost the world $6 trillion annually by 2021! So what’s happening? Despite the billions being spent yearly on cybersecurity, why are organizations still not fully equipped to deal with security breaches?

PWC reported that 18% of UK organizations don’t know how many cyber attacks they suffered last year, and only 28% of UK company boards are involved in setting security strategy. In a survey conducted by EY, only 38% of respondents said that their boards have enough information to evaluate cyber risks. 90% of businesses fail to evaluate the financial impact of every data breach. Of companies that had a cyber incident in 2016, half of the respondents had no idea what financial damage it had caused!

There is still a big gap in cyber awareness, a gap that needs to filled soon if companies hope to secure themselves from cyberattacks. “Continual and broad-based cyberthreat assessments have become a necessity,” writes Russ Banham in Forbes. And the kicker is: more spending doesn’t necessarily mean that companies are becoming more secure. Spending more on security software isn’t the only thing that corporations should be focusing on; there’s an increasing cyber-skills shortage that needs to be plugged. Company executives, employees, and security analysts all need to be up-to-date with the constantly developing cyber technology. As a CSO article states, “Cybersecurity is not something you can just buy, but something you should thoroughly build.”