March 1, 2023
If your cybersecurity efforts were the big boss in a video game, your users would be the flashing weak point for hackers to attack. So why aren’t IT departments spending more time and money on training?
Surveys from across the industry are discovering that while IT security spending continues to increase, even with budgets shrinking overall, the amount spent on policy, end user training, and staff certification is much lower than the amount spent on hardware and software for detection and mitigation.
Malware and ransomware continue to grow as threats, with its primary entry point to your systems coming from users clicking on malicious links or e-mail attachments. Most healthcare breaches come from stolen devices or unsecured workstations. Users regularly use the same password at work as on their personal sites and applications, so when a large breach occurs at, say, LinkedIn, their work accounts can also be compromised.
Kaspersky Labs lists phishing and social engineering among their top threats for 2016, and four of their top five precautionary steps rely on the user (use strong passwords, destroy sensitive documents, don’t open suspicious e-mails, and keep antivirus software up to date).
A SANS study from 2015 found that protection of data is the most important reason for security spending, followed by compliance, then reducing incidents and breaches.
Security spending is increasing, even as IT budgets overall are dropping. For companies with an IT budget between $500,000 and $1 million, projected IT security spending jumped from 4%-6% of the budget to 7%-9% in 2016.
However, companies are mostly spending on software, hardware, staff, compliance, and risk reduction rather than end user training, governance, policy, training, or security programs.
72% reported operational spending was focused on protection and prevention, 62% said detection and response, 58.6% said compliance and audits, and 49.7% said risk reduction. Most of these categories involve using a combination of hardware and software in concert with trained IT staff to detect, mitigate, and restore systems from cyber attacks.
Only 45.5% said they were using operational spending for end user training and awareness. Only 43.4% reported governance/policies, and only 39.3% said staff training and certification.
.png){kind=logo}
We're here to help you tackle what's next in your digital journey.
