Cyberthieves are getting creative in the ways they overcome security measures within a corporation. In response, businesses across the globe are spending more money than ever before on security services and technology. That would suggest that corporations are making data security a priority and getting better at protecting their firms, right?
Wrong, says a new study from Raytheon|Websense. Researchers found a troubling trend among larger corporations in the U.S.: Executives continue to try the same tactics and strategies over and over again to secure their businesses, even when it is proven that those strategies aren’t enough.
The title of the new report, “Why Executives Lack Security Posture Confidence While Knowing That The Metrics They Use To Gauge It Are Ineffective,” says it all. Corporate executives know their enterprise security strategies are not working, yet they continue to deploy those strategies anyway.
According to cited metrics from Gartner researchers, businesses are expected to spend an estimated $77 billion on security measures this year alone. “Yet,” Raytheon|Websense analysts said, “the same executives cutting those fat checks are only somewhat confident in the security posture that results from the investment.”
Of the 100 corporate executives surveyed, less than one-third reported having high confidence in their security strategy plans. Sixty-five percent reported feeling merely “somewhat confident” in existing security measures.
“The reason for the lack of confidence? Executives rely mainly on quantitative metrics while damaging breaches mount,” the report concluded.
Analysts delved into the strategies these executives use in their attempts to safeguard corporate data. Three-quarters of those surveyed said security officials at their companies report to C-level executives. Further, 68 percent said they give security reports and updates at least once a month, with nearly one-third doing so every week, and an impressive 16 percent doing so every day.
But a slew of daily reports is far from adequate to protecting corporate data, the research concluded. “According to the survey,” the authors wrote, “these executives continue to rely mainly on quantitative metrics that are aimed at preventing breaches but do little once a breach has occurred.”
For example, only about one-third said they use dwell time – the time it takes between the initial security breach and its containment – to evaluate their security strategies.
Instead, simply counting the number of data breaches seems to be the most common tactic in use today, with 57 percent using this strategy, and 52 percent reporting incidence response time.
But Raytheon|Websense’s report pinpoints why merely counting the number of hacks a corporation experiences doesn’t do much to prevent them. “For example, an organization might have 400 breaches one year and 300 the next,” the report explained. “It looks like a 25 percent reduction, and in simple terms it is. But if the organization had even one breach among the 300 that resulted in a loss or compromise of data, then the number of breaches is really an unreliable metric for communicating an organization’s security posture.”
The data reflecting executives’ lack of confidence in their existing security strategies suggests that these officials are aware that these tactics simply aren’t working.
In what Raytheon|Websense analysts described as “alarming,” the survey revealed that nearly 90 percent of executives have reported at least one data breach at their corporations in the last year – and 20 percent said they had between three and five breaches resulting in a loss or compromise of data.
Perhaps the most concerning figure of all is that 13 percent of respondents said they were “unaware” as to whether their corporation suffered a data breach. When placed in the perspective of millions of dollars being spent on corporate security, the research unveils a potential security crisis within U.S. corporates today.
“Breaches happen. That is no surprise,” the report concluded. “That they happen with such frequency yet organizations have done little to adapt or to try a different approach is surprising.”
If for no other reason, businesses may want to listen up when research suggests that their security strategies are lacking because data breaches are costly. Among the most common metrics measured by businesses when analyzing security is the cost of these incidents. According to researchers, the cost of the average breach can hit upwards of $5.85 million.
According to Raytheon|Websense President Ed Hammersla, businesses need to start evolving their point of attacks when it comes to combating data breaches. “We know threats are going to get in. If we want to be more confident, we need to shift our thinking to metrics such as dwell time, or reducing the time a threat is in our network, which reduces damage and helps strengthen our overall security posture,” he said in a statement.