By Kathy Gibson – Cyber-threats are coming at us thick and fast, with the potential to cause untold damage, but enterprises are still not aligning their security spend with the threats.
“Security is an increasing area of focus for organisations,” says Jon Tullett, research manager for IT services: sub-Saharan Africa at IDC, speaking at the IDC Directions conference.
The problem is that, although companies are investing in security solutions, these are often found wanting.
Tullett points out that, in 2018, security breaches will outpace organisations’ ability to respond to or mitigate them, with most solutions at least a generation behind the current vulnerabilities.
The people element of security remains one of the top issues, with significant challenges when it comes to security awareness and skills.
This is of particular concern to enterprises, where managers and staff face a disproportionate amount of phishing and whaling attacks
“The challenge in managing security is that people are most often the weak link,” Tullett says.
Meanwhile, end point protection is the technology that is least able to stop determined attacks on the enterprise. However, it is still the area where organisations are focusing the bulk of their security spend.
“And their investment in end point security is still growing,” Tullett points out. “It’s one of those areas that companies believe they just have to invest in.”
Analytics, on the other hand, receives the least amount of money in terms of technology spend.
Even more significantly – given that people are the weakest link in the enterprise – training and education is rock-bottom when it comes to how organisations hope to tackle the security challenge.
“In fact, companies are not tackling the human element at all,” Tullett says. “We all know this is the weakest link, but it’s almost as if companies have given up.”
One positive indication is that spending on managed services is increasing. “Managed security is big, and it’s growing,” Tullett says. “In many cases, this move is in response to the skills shortages.”
It doesn’t address the lack of awareness among non-technical people within the organisation, however, so system hacks because of staff members are set to continue growing.
Small and medium enterprises are particularly lax about their security, Tullett says. “Most SMEs still employ ad hoc security solutions – even though the lifespan of a SME that has suffered an attack is roughly halved.
The hotspots for cyber vulnerabilities are emerging technologies, where security might not have been sufficiently factored in.
“For instance, with Internet of Things (IOT), the bad guys are about two years ahead of the good guys,” Tullett. “So you have to ask yourself if you can trust the data coming from an insecure IoT network.”
Cloud is also less secure than organisations would expect and hope for. Breaches at the application level have been seen, and will happen again.
“The Spectre and Melt down vulnerabilities open up new opportunities for cyber-crooks; meanwhile the performance hits from the vulnerabilities themselves and the patches cause performance degradation that translates into cost. This could add 20% to the cost of using services in the cloud.”
Artificial intelligence (AI) and cognitive computing are relatively new areas, and companies are experimenting with them now.
However, Tullett warns that these technologies will attract attempts to poison AI outcomes and to manipulate inputs.
“Companies have got to ask themselves if they trust their machine learning model,” Tullett advises.