Gartner estimates that the total worldwide expenditure by companies on information security for 2019 will be 124 billion dollars¹, a figure which does not include spending on IoT security or industrial systems. They also note that security as a service and its delivery from the cloud will soon exceed local solutions.
This forecast, together with the clear importance that cybersecurity has been acquiring in our lives, featuring in newscasts, generating front page coverage in various media, impacting the online services we use daily, etc. provides us with an insight as to the kind of world we are moving towards.
In fact, cybercrime is already a hazard that is estimated to have cost the world 600 billion dollars³ in 2017, almost 1% of the Global GDP. For 2021, it is estimated that this figure will be 6 billion dollars². This includes damage to and destruction of data, stolen money, loss of productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, disruption to the normal course of business following the attack, forensic investigation, recovery and removal of hacked data and systems, and damage to reputation among other things.
The motivations of cybercriminals vary and not all are economic. Others include reputational damage to the target, the intellectual challenge, vandalism, etc. An interesting reflection, although highly simplistic, involves comparing the motivations behind both sides based on the economic figures.
In 2018 we had a group motivated to defend themselves who invested 114 billion dollars and another group motivated to attack in order to obtain a part of those 600 billion dollars lost (using the 2017 figure), the part related mainly to thefts and scams by means of: social engineering, phishing, ransomware, attacks against the infrastructure of banks or cryptocurrency exchange houses, the profits obtained from the sale of information (R + D, strategic, commercial, etc.), and payments for damaging competitors, etc. We can see from this that if a cybercriminal can feel that they are capable of stealing €60,000 from a company, they might consider dedicating 8 hours a day for 6 months in order to do so.
The question that comes to mind is: how much of our resources should we devote to defending ourselves?
It is not hard to begin thinking that everything points to all these forecasts being met or exceeded. With the growth of the population, the digitalisation of companies and of our lives, with connected technology seeking to embrace more and more areas: body accessories, household appliances, cars, home automation items, etc.: all of these things mean that the target for attackers is even bigger and more varied.
But let’s not be discouraged. Sun Tzu may have claimed that “the best form of defense is a good attack” but we are not faced with a war in which we have to eliminate the enemy; rather, we need to demotivate it, raising the bar enough so that cybercrime ceases to be so attractive and our company is not such an accessible target for attackers who are not even highly technically skilled. Our only task is to focus on defense and in recent years the information security industry has evolved dramatically, making it easier than ever to defend oneself.
It is common for companies just to focus on technological security when in fact security consists of three significant features: people, processes and technology. The technological aspect in turn covers two main areas, which are security in the architecture and security architecture. The former refers to all configurable security measures in non-security technologies, such as applications (ERP, CRM, etc.), operating systems, databases, routers etc., while the latter refers to security tools themselves such as antivirus software, firewalls, IDS/IPS, web filtering, anti-DDoS, etc. The two are complementary and need to be taken into account.
This trend, perhaps due to ignorance or perhaps due to industry’s commercial imperative, means that the entire focus is on security architecture, which has been gaining prominence in IT spending. Security in architecture, on the other hand, which usually requires less economic outlay and more attention on CAPEX, is not used at all. Not to mention the fact that often even when adequate security tools are in place they are not utilised to their fullest because they have not been configured correctly.
Nor should we forget the importance of having strong security management processes for the correct administration of technology and people, or of training users who are guilty of being the weakest link.
It should be remembered that any security decision or plan needs to incorporate this global vision of people, processes and tools, and analysed from a risk orientation perspective, so that investments are targeted towards mitigating the likelihood and/or the impact that cybersecurity issues can have on our business.