Most businesses worldwide claim to be confident that their current cybersecurity budgets are fit for their needs, but at the same time would be willing to spend more, according to Fastly.
While 71% of businesses highlighted their confidence in their currently budgets, 73% of the same businesses are willing to increase their budget. In the US specifically, over 85% of IT leaders considering their current budget adequate, but 79% are still thinking of increasing it.
This cyber spending paradox has been highlighted in Fastly’s latest study, Fighting fire with fire: research reveals cybersecurity strategies are suffering as a result of complexity, published on November 30, 2022.
One explanation is that IT leaders fear lagging the evolving cyber threat landscape and put their trust in technology to help them catch up and prepare for future cybersecurity risks.
“Overwhelmed and overworked, IT leaders are putting their faith in an abundance of tools and technologies and hoping for their best,” reads the report.
Jay Coley, senior security architect for the EMEA region at Fastly, said: “The reality, though, is that the majority of organizations are increasing spending with no clear strategy. Spending more money doesn’t necessarily equate to a safer business. Instead, it can create the illusion of security, and ironically put the businesses at even greater risk down the line when their security tools don’t work.”
Increasing Budget Is Not the Solution
According to Fastly, 39% of current cybersecurity tools are not fully deployed and active, and 42% of the ones that are fully operational overlap, protecting organizations against the same threats.
“For IT leaders, this abundance of overlapping technologies means more time spent managing them, despite gaining no additional benefits from solutions doing the same job,” states the report.
Moreover, when these tools do run, they regularly do not work, claims Fastly. For instance, the edge cloud computing firm found that more than a third (38%) of alerts sent by web application firewalls (WAFs) are false positives that still require time and effort to investigate – which is also a reason for organizations to run some of their tools in log-only mode, thus lacking to benefit from their full capacity.
“Increasing budgets won’t necessarily guarantee your organization’s security. Instead, many organizations need a full re-evaluation of their cybersecurity toolings, and a reinvestment into a smaller set of interoperable, best-in-breed technologies that work together to provide an effective, tailored security solution,” Sean Leach, Fastly’s chief product architect, argued in a press release.
Fastly also points out the “opacity” of some cybersecurity vendors, that “allows [them] to get away with selling products that do not work properly, and give their users little confidence, with the end result being that they often end up giving increasing sums of money to these vendors to buy every product they can in an effort to patch up unsuccessful cybersecurity strategies.”
Further, Fastly notes that, in 2022, IT leaders’ most prevalent concerns were surprising: “Despite the torrent of media noise around nation-state attacks, DDoS attacks, and hacks from cyberterrorists, the most top-of-mind threats were data breaches (32%), malware (29%) and phishing (26%). By simply applying a best-practice cybersecurity strategy, these top-of-mind threats are traditionally straightforward to protect against,” reads the report.
“While malware is still a concern, especially zero-day exploits, many organizations now have tools and processes in place to mitigate these threats. As a result, they choose instead to concentrate on areas of known weaknesses or where they may already have the tools but lack the processes and skill sets around them,” Coley told Infosecurity.
Leach said of the findings: ‘‘These stats paint a picture of cybersecurity strategies fuelled by fear. If businesses get the fundamentals of cybersecurity right – such as non-SMS based two-factor authentication (2FA), rigid authorization rules, rate limiting to control sent or received requests when needed, and comprehensive security training across all parts of the organization – they are able to defend against the majority of the most common threats, particularly potential data breaches.” These basic steps go a long way to preventing severe financial and data losses and should be priorities for all businesses, regardless of size.”
The survey was conducted in partnership with Sapio, a market research company, among 1,419 IT decision makers, with at least some responsibility in cybersecurity, in organizations with over 250 employees in Australia and New Zealand, and in organizations with over 500 employees in Germany, Austria, Switzerland, Denmark, Norway, Sweden, Finland, the UK, Ireland, Spain, Japan and the US.