European firms are shifting their cyber security investment from traditional prevention and protection to detection and response capabilities, a study has revealed.
The shift in spending is due to a realisation that cyber attacks are inevitable, according to the study by analysis and consultancy firm Pierre Audoin Consultants (PAC).
But the study shows this shift is overdue, with nearly 40% of respondents admitting they have no incident response (IR) plan in place, and only 30% of those with IR plans test and update them regularly.
The study, sponsored by FireEye, HP, Telefonica and Resilient Systems, polled 200 people from companies with more than 1,000 employees in the UK, France and Germany, which together account for 60% of the western European cyber security market.
The study showed that firms still spend 77% of their security budgets on a traditional prevent-and-protect approach using endpoint security products and firewalls.
But researchers revealed that security investments are moving towards the post-breach detect-and-respond capability.
They expect spending on this approach to increase from 23% of security budgets to 39% in the next two years.
PAC researchers ascribe this trend to the growing number of cyber security breaches, with 67% of respondents reporting their firm experienced a breach in the past year, while all respondents said their organisations had been breached at some time in the past.
The study also revealed that firms are still struggling to identify cyber breaches, with 69% taking between one and six months to discover an attack.
The cost of a breach is also increasing with an average of €75,000 of direct spend being incurred in addition to the loss of business and reputation. Most firms said they need between one and six man-months to recover from a breach
As the cost of cyber breaches continues to rise, PAC researchers revealed that firms are looking to external provision of incident response in an attempt to reduce costs and access the required expertise quickly.
“Firms are coming to terms with the inevitability of a cyber breach,” said Duncan Brown, research director at PAC and lead author of the study.
“Rather than spending a majority of security budget on prevention, firms will apply a more balanced approach to budgeting for cyber attacks,” he said.
Brown said the study shows that firms also need to address their readiness for cyber breaches. “We saw that 86% of firms think they are prepared for a cyber breach, but 39% don’t have a cyber readiness plan and 22% have no technology in place to assist with incident response, suggesting that some firms are in denial, or ill-informed, as to the true status of their readiness,” he said.
Cyber attacks increasingly personalised
Cyber attacks have become increasingly personalised, resulting in many more organisations being compromised with a much greater business impact, said FireEye European vice-president and chief technology officer (CTO) Greg Day.
“This shows that companies can no longer afford to focus solely on defence – they need to also balance it with incident response. But the study shows there is a misalignment between businesses’ confidence to respond to a breach and their actual capabilities,” he said.
According to Day, the predominant gap is people skills, which is typically not a quick fix. “The proposed requirements being discussed in EU legislation for notification will also be a significant challenge for many to meet,” he added.
Resilient Systems CTO Bruce Schneier said that as the cyber threat landscape becomes more challenging, businesses need enhanced response plans to ensure they are able to survive and thrive in the face of these threats.
“For decades, companies have focused on preventing and detecting attacks, but they haven’t focused enough on incident response. This is critical to good security,” he said.
HP Enterprise Security Services senior vice-president Arthur Wong said while defenders have to get it right all the time, attackers have to be lucky just once.
“In today’s threat environment, it is no longer a question of ‘if’ you will be attacked, but ‘when’, and how you respond to the inevitable breach can have lasting consequences on your business and your brand’s reputation,” he said.
In contrast to most firms’ resourcing of cyber security, incident response provision by third parties is the norm, according to the study. “69% of firms use external resources to respond to a cyber incident,” said Brown. “This use of third-party incident response services is a long-term strategy, as firms plan to bring in specialists when the need arises.”
Brown said most CISOs worry about outsourcing security because they perceive a loss of visibility and control.
“With incident response it’s better to have an external resource standing by, possibly on retainer, than divert internal staff from their core responsibilities when an attack occurs because while a cyber breach may be inevitable, the nature and timing of an attack is unpredictable,” he said.
Source: Computer Weekly