Last year, private sector companies globally spent more than $75 billion on security software to safeguard their systems and data.
That number is expected to grow about 7% annually, according to Gartner and other analyst firms. It doesn’t include all the massive amounts spent on fraud prevention by banks, a number that is widely underreported and expected to reach into the billions annually.
Has all that spending made private sector data and systems any safer? Is customer personal data any safer?
The general answer is no, according to many analysts, but that’s not necessarily because the latest software is considered ineffective.
As security software has grown more sophisticated in recent years, so have the bad guys. Data breaches have soared in the past two years. One of the worst emerging problems is ransomware, where hackers demand payment to return sensitive data they’ve stolen or locked up to the rightful owner.
In interviews, four analysts said cybersecurity is a huge challenge because the bad guys are getting smarter. In recent years, the smartest hackers have found ways around some existing security software, especially signature-based antivirus (AV) software. (Signature-based AV compares signatures of files on a system to a list of known malicious files, while the use of behavior-based AV is growing in popularity because it watches processes in a system for signs of malware and then compares those signs against known malicious behaviors.)
These analysts ticked off a list of concerns: Many companies aren’t yet deploying new approaches like security analytics to detect suspicious events. (Security analytics refers to gathering and linking diverse kinds of security event data and using advanced techniques like machine learning or neural network models.) The growth of cloud computing has also put sensitive enterprise data outside the more secure data center. Sometimes workers inside companies aren’t properly monitoring their security software or setting up sufficiently protective cybersecurity policies.
“Companies are worse off by 100% [with cybersecurity] compared to 10 years ago because the world is more complicated now,” said Gartner analyst Avivah Litan.
“We are safer in a way, but criminals -- the advanced ones-- can still get through. Companies have definitely raised the cybersecurity bar, but criminals can keep going higher than the bar. It’s a cat and mouse game, and when you put in a trap, they find a new technique.”
Despite billions of dollars spent on signature-based antivirus software, for instance, today’s smart criminals can beat it, Litan added.
Hackers have huge financial incentives to resell employee personal information or corporate secrets.
“Basically, all that sensitive data that was seized is out there to resell and use to target companies,” Litan said. “Thieves set up money laundering accounts to funnel the billions that are stolen every year, and it is now much easier to get money and intellectual property out of the system.”
'Always playing catch up'
Litan’s view is based on 12 years as a security analyst, and other analysts tend to agree with her. One of the more hopeful ones, Robert Westervelt of market research firm IDC, said he sees a bright future for enterprise security, even though the road is fraught with difficulties.
“I don’t think enterprises have gotten worse at cybersecurity, but they are dealing with complexities that they didn’t have to deal with 10 years ago,” Westervelt said. “It’s two steps forward, and then external factors make you take a step back. It’s a neverending story. We’re always playing catch up.”
One of the more critical voices is analyst Patrick Moorhead of Moor Insights & Strategy. “The private sector isn’t doing nearly as much as they should and could be doing with security,” he said. “The tools are available for identity protection and file protection, but the reality is that they aren’t using them. It used to be that software wasn’t available, but that is no longer the case and, really, enterprises are just putting up excuses at this point.”
Jack Gold, an analyst at J. Gold Associates, said security in the enterprise is always evolving. “As security covers up one flaw, another is found and exploited by the bad guys,” he said. “There really is no way to assure 100% security as we’ve seen numerous times.”
Human error is the biggest risk factor, as in the case of ransomware.
“Somebody clicks on a file he or she shouldn’t have and it infects the system from the inside,” Gold said. “Companies spend massive amounts on securing against outside threats, but a simple email message containing a hack can bypass all of that.”
Gold said his research has show that companies tend to fall six months behind, on average, in providing security patch updates. “That’s like leaving the front door unlocked when you know burglars are in the neighborhood.”
Gold said his impression is that enterprises are “probably” doing better than they did on security than a decade ago, but there are now more attacks than ever.
How an attack could unfold
Litan described one example of how a hack works: Foreign states, including China, are able to target human resources data at a private defense contractor’s manufacturing plant to get information on all the Americans working there.
They can find out where all the workers’ kids go to school, then email -- acting as one of the teachers -- "to say one kid’s been acting up, so please come to school as soon as possible,” Litan said. “That engineer’s likely to open that email and, then, get infected with some kind of malware.”
A foreign state, or even a criminal gang, also might try to recruit the engineer to share design secrets for a new manufactured product, even one under contract with the U.S. Defense Department. Or, the malware could sit inside a system for a long time, grabbing up bits and bytes of passwords stored in memory that eventually allow the hackers to gain access to more secure portions of a corporate network.
“Some workstations in companies have administrative rights, and that’s where an admin’s password could be hacked,” Litan added. Or, a hacker might find out a service contractor worked for the manufacturer on a point-of-sale system (PoS) and could be hacked for that contractor’s passwords to gain entry to the PoS.
“There are so many hacks now,” Litan said. “Compared to 10 years ago, systems are more connected than ever.” A decade earlier, in the 1990s, the use of the internet by the private sector was only just beginning and has since grown exponentially.
Reports of hacks and those not reported
A factor complicating the private sector's cybersecurity dilemma is that companies don’t want to talk publicly about having been hacked, in fear of losing customers or investors. Analysts believe there are many more hacks against enterprises than are being publicly reported.
Companies that are doing better with the newer cybersecurity systems -- especially financial services and telecommunications -- don’t want to brag about their achievements out of concern they will only invite attacks.
Some attacks are widely discussed with a lot of Monday morning quarterbacking. They include the Sony Pictures hack in 2014 and the data breach of retailer Target in late 2013, where PoS malware stole credit and debit card information on more than 70 million customers.
Many hacks of private sector companies are not detailed in public, as indicated by the admissions of employees in anonymous surveys. A new survey of 3,027 IT workers and end users at U.S. and European organizations found 76% had been hit by the loss or theft of important data over the past two years, a sharp increase from 67% in a similar survey done in 2014.
The survey was conducted by the Ponemon Institute, an independent research and education group focused on information and privacy management. Of the 1,371 end users in the survey, 62% said they had access to company data that they probably shouldn’t see. IT workers in the survey said negligence by insiders was more than twice as likely to cause the compromise of insider accounts as compared to other factors like external attacks, or actions by disgruntled workers or contractors.
The institute concluded that data loss and theft was due largely to compromises in insider accounts exacerbated by far wider employee and third-party access to information than is necessary. The institute also said companies continue to fail to monitor and access activity around email and file systems where most of the sensitive data lives.
The level of security varies by industry segment. Healthcare institutions, specifically hospitals, almost always get a bad mark. IDC said in a recent report that hospitals, universities and public utilities rank worst in their security capabilities and practices.
Not surprisingly, ransomware attacks were named by 69% of the 150 respondents as the top concern.
There is some good news, however, on the front to thwart cyberattacks from nations competing with the U.S. Analysts and companies, such as Duke Energy and Verizon, were encouraged recently when U.S. intelligence officials said they would soon share supply chain threat reports to critical U.S. industries in telcommunications, energy and financial businesses.
Those threat reports will go beyond some of the conventional software means of tracking existing hacks into other companies and locations and hopefully will reveal information about human actors and their potential targets, Litan said.
Even so, keeping up with cybersecurity will be an evolving, constantly changing process for the private sector.
“For companies, it’s a matter of paying attention,” Litan said. “Companies don’t spend enough time and money on the problem. They don’t think they need to. It’s a matter of priorities.”
"Attacks will surely get worse, even as cybersecurity software improves," Litan said. “There’s a hotbed of innovation, even though people don’t focus enough on security. Basic technology must be put in place. We all really live in a bad neighborhood and we all need locks on the doors.”