Collectively, we spend tens of billions of dollars a year on security systems. And still, we lose billions in business email compromise (BEC) spoofing attacks. We fall victim to an onslaught of ransomware. We suffer high-profile breaches. And we continue to be embarrassed by data leaks engineered by foreign governments, the 2016 U.S. presidential election as the most recent example.
Now it’s 2017. As a new year begins, it’s time to take a fresh look at our defense strategies and reassess our security budgets. Many organizations realize they need to invest in security. But many are unsure where to best direct their spending.
What’s the best way to secure your data and stay in budget? Reinvest in your current security technology? Buy the new trendy security suite?
The easiest and least expensive choice may appear to be to re-sign a contract or upgrade to the next protection level. But easy may not be smart—especially if doesn’t work. And low-cost options become expensive if company secrets are stolen or your leadership team wires more than $50 million to an attacker.
The threat landscape is constantly evolving. The security strategy you adopted last year may not be the right approach to defend against today’s threats.
Maybe your organization invested heavily in endpoint protection in 2016 because it’s a mainstay in your budget. 2017 might be a good time to rethink this approach.
Studies consistently find that about 95% of advanced attacks begin with email. (The reason is simple: attacks target people, and email is a tool we rely on every day.) Despite this reality, businesses still spend about 80% of their security product budgets on network and endpoint technologies, according to Gartner figures.
This spending probably made sense at the time. But threats have changed. To protect your company today, security spending needs to change, too.
Beyond email, attackers are targeting vectors outside of what we’ve traditionally considered the domain of IT.
Social networks and mobile apps are a way to compromise your people without confronting traditional defenses—and can badly tarnish your brand reputation. In the first six months of 2016, we saw a 150% increase in social media phishing attacks when compared with the same period last year. That volume increased by 300% Q3 vs. Q2 2016.
In 2017, stopping threats through these channels will be critical. Tooth plaque is easy brush away; a cavity that has broken through the tooth enamel is a bigger problem. In the same way, detecting and resolving threats before they reach your network and endpoints is easier and more effective than trying to stop those already in your environment. Stopping a potential data breach, ransomware or BEC loss at the source—email—takes pressure off your other controls.
We also see this as the year your security team will need to expand its reach beyond your employees. Protecting your brand today means protecting customers and others who interact with your brand through email, social networks and mobile devices. That includes shutting down copycat social-media accounts and mobile apps that commit fraud in your name. Digital risk, inside and outside the organization, will loom large in 2017.
Taking a moment to survey today’s threat landscape is the smartest first step you can take when it comes to security budgeting. Starting from scratch, might seem daunting. But simply doing the same thing because it’s always seemed worked in the past leaves you exposed to new threats.
That’s why when it’s time to submit 2017 budgets, cybersecurity should start from the ground up—with a blank piece of paper.
[su_box title=”About ” style=”noise” box_color=”#336588″][short_info id=’70187′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.