As Cybersecurity Spending Balloons, So Do False Economies

Cybercrime and cybersecurity budgets are both on the rise. And yet, the largest security gaps for most organizations – password reuse and remediating stolen credentials – are left wide open.

Cybersecurity spending, for better or worse, is driven by cybercrime. Around the time the world was in full pandemic lockdown last year, the global cybersecurity market was worth $173 billion and spending on external cybersecurity products and services was projected to increase by at least 8.4% annually through 2026. Growth like this may be great news for security vendors, but even as security spending goes up, so does the number of successful breaches. This isn’t good news for anybody, except criminals.

Eighty-seven percent of businesses report that adopting an effective cybersecurity strategy would improve profitability. Attacks, regardless of size, can impact an organization’s reputation, customer trust, and bottom line, based on recovery cost alone. Cybersecurity is critical to a company’s longevity, and all other operational aspects of a business. But it does cost money and its effectiveness must be measured and monitored to prove its value. 

The trouble is that a lot of cybersecurity spending is largely reactive and too many organizations throw money at the problem before examining the cause.

Securing A Hasty Sprint to the Cloud

In a recent report, Splunk and Enterprise Strategy Group found that of the 535 security leaders they surveyed, 88% planned significant investments in cybersecurity in 2021. Cloud security was a priority for 41% of respondents, alongside cyber risk management (32%). The increase in cloud security spend is especially poignant given the shift to mobile workforces. Gartner predicts that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.

Another area highly vulnerable to attacks is corporate mobile technology; 2020 saw a 37% jump in mobile phishing. The pandemic forced many IT departments into hastily mobilizing workforces, sending employees home with highly vulnerable devices and a lack of cyber-awareness. The smaller form-factor of mobile devices plus our tendency to click on any link on our phones means users pay less attention to indicators of malware or phishing scams.

More importantly, employees and trusted partners with privileged access are logging into corporate applications on the same handheld devices they use for social media, often with the same or similar password. (For users with more than one password stolen last year, SpyCloud found that 60% of credentials were reused across multiple accounts.)

One Stolen Password, Many Problems

There is no question that awareness of ransomware, fueled by media coverage of the Colonial Pipeline and JBS attacks, is a major driver for security spending. It was already proven that a single compromised password resulted in the Colonial attack, but it was far from an isolated incident. According to the Splunk report, the most common type of attack is business email compromise (42%), followed by data breach (39%), mobile malware (37%), DDoS attack (36%), phishing (33%), and ransomware (31%). 

A majority of these targeted attacks can be traced back to something so simple – weak and/or reused passwords. According to Verizon’s 2021 Data Breach Investigations Report, 61% of breaches involved credentials. The use of stolen credentials was present in 25% of breaches last year and likely played a role in the other 75% of breaches.

We recognize that cybercrime is a challenge that is constantly evolving and difficult to keep up with. But the truth is, while attacks and budgets have ballooned, a major source of the problem has been the same for many years: credentials and human error. In the meantime, cybersecurity has become a bottomless pit of spending in many corporations because there are a lot of assumptions made about solutions without proof of effectiveness.

Whether attacks happen in the cloud or on-premise, on a smartphone or at someone’s cubicle, one thing is undeniable: credential theft is still the easiest way for criminals to gain entry into an enterprise system, take over an account, and launch attacks. At the core of every solution to these attacks is a heightened awareness of compromised credentials and an increased vigilance about protecting them. 

Until the credential problem is addressed, attacks will continue, and so will the bottomless spending.

Stop exposures from becoming account breaches.