Why Throwing Money at Cybersecurity Doesn’t Work
By Zac Amos, Features Editor, ReHack
Cyberattacks have become more frequent and debilitating as the work gets more tech-centric. With so many advanced and expensive security tools available, companies should be able to protect their online information, right? It’s not that simple. Here’s why throwing money at cybersecurity doesn’t work.
More Money, More Problems
The problem with devoting more finances to cybersecurity isn’t the money itself but how organizations use it.
According to a survey from security firm Trend Micro, 42% of 5,000 surveyed companies spend most of their cybersecurity budgets on risk mitigation. Instead of investing in proactive solutions, they are constantly paying for damage control. This finding should come as no surprise, as many employers still neglect cybersecurity awareness training.
Social engineering, malware and other basic attacks remain the greatest threats to most businesses. A larger emphasis on training would be a simple, cost-effective way to combat these risks, yet people continue to ignore their weak points and take action when it’s too late.
One reason companies are still undertrained is that they think an advanced cybersecurity infrastructure will do the dirty work for them. The system will stop all threats with no human intervention required. Of course, this misconception is not true. The cyberthreat landscape is always changing, so all systems need regular audits to address their vulnerabilities.
Another problem with throwing money at cybersecurity is a lack of standardization. Using a wide range of tools to manage security threats can lead to operability issues. Collecting data for risk assessment is a key part of cybersecurity, but that task becomes more difficult as more information sources get added to the mix.
More information does not always lead to more accurate risk assessments. Each tool operates independently, so each batch of data is also independent. This structure lacks the centralized intelligence that large organizations need to identify and address risks in a timely manner. Managing a constant stream of alerts is another downside to using many tools.
Moreover, some companies add extra layers of defense just to meet compliance checklists. The security team might not even know a tool’s intended purpose. They won’t be able to interpret the data correctly if they don’t understand how the program works. As the late management educator Peter Drucker once said, “you can’t manage what you can’t measure.”
Cybersecurity Fundamentals
Throwing more money at cybersecurity can lead to an adequate solution, but it needs direction. The real fix is choosing the right investments and learning how to maintain them. Here’s what businesses should focus on to improve their cybersecurity.
1. Cloud Storage
Rather than buying a bunch of miscellaneous security tools, businesses should take a more centralized approach with cloud storage. Cloud storage keeps data on one platform, making monitoring and evaluating much easier. The security team can oversee employee information, customer files and financial records from one standard source.
Cloud computing is especially beneficial for remote employees who spend most of their time navigating the web on their own devices. They’re more vulnerable to a cyberattack than in-house workers. A cloud storage system can give their information the same protection as the rest of the staff.
2. Automated Analytics
The human presence remains an important part of cybersecurity, but as we’ve established, people often get in their own way. Thanks to artificial intelligence (AI) and machine learning (ML), businesses can use automated analytics tools to monitor their data and identify security threats.
A detection system with AI and ML constantly gathers insights about its organization’s strengths and weaknesses. When a threat emerges, it determines the severity and sends an automatic alert so the security team can address it.
3. Awareness Training
The human part of cybersecurity that businesses need to prioritize is awareness training. A workforce that knows the most common threats and best security practices is less likely to expose sensitive information. Building smart online habits from the ground up is the most surefire way to keep cyberthreats out.
Some job positions need more detailed training than others, so multiple programs might also be necessary. An in-person and online program is the bare minimum.
Most importantly, businesses must understand that awareness training isn’t a one-time thing. Cybersecurity is an ongoing responsibility. The programs should be updated frequently to ensure employees know about recent developments in the best habits, tools and other topics that will help them protect their data.
Fundamentals Over Funding
When it comes to cybersecurity, fundamentals will always be more important than funding. A business can throw as much money at cybersecurity as it wants, but it doesn’t mean anything without sufficient centralization, analysis and training. These basics will build the foundation of a safe, secure network.
About the Author
Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.