As we have now entered the final quarter here in 2017, I thought that I would begin to look at predictions for the upcoming year and beyond. CyberSecurity Ventures boldly tells us that we have another banner year in store:
First news flash: Cybercrime will cost the world $6-trillion annually by 2021, up from about half of that figure in 2015, or a 100% increase in 3 years – that is one impressive market. I can hear the Unicorn hoof beats now.
Yet, in spite of that, global spending on cybersecurity products and services will only get to about $1 trillion a year and stay there through 2021. Let’s see; that means that for every $6 in losses, we are spending $1 dollar to prevent losses. What’s the old saying about how to make $1 million in the restaurant business? Oh yeah, you start with $10 million. But in Cybersecurity, you don’t even get a nice meal.
Settle down, all you Unicorns.
There will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from 1 million positions in 2014, which is about 357,000 additional job vacancies per year. At the same time, of the 4,000+ colleges and universities in the U.S., less than 3% of them offer a Cybersecurity degree, which may translate to 12,000 newly minted graduates per year. I don’t have to do the rest of the math for you.
The good news however, is that there are tons of private and commercial non-educational companies offering a whole slew of Cybersecurity training and certification programs. The bad news is that most companies continue to look outside for external resources instead of investing in their existing staff. I should remind those who do that latter, that they need to bump their pay to competitive levels once they get trained or the inevitable will happen – and it’s not the employee’s fault.
And in case you work in HR and need some bullets, the cybersecurity unemployment rate dropped to effectively zero percent in 2016, is still there today and is expected to remain at zero through at least 2021. ZERO!
If you haven’t looked at your existing applications lately, you might want to note that there are 111 billion new lines of software code that need to be secured in 2017, and that figure will grow dramatically every year over the next five years. Every existing or proposed Cybersecurity regulation I have seen is insisting on code reviews, as well they should.
Global spending on cybersecurity products and services by healthcare-related firms (which are currently the firms facing the most cyber-attacks) will reach $65 billion cumulatively from 2017 through 2021, while global ransomware damages will exceed $5 billion in 2017 – up 15X in just 2 years – and ransomware attacks on hospitals will quadruple by 2020. Accenture says that data breaches will cost the healthcare industry more than $300 billion of cumulative lifetime patient revenue over the next five years.
Math time again: Spend $13 billion a year between now and 2021, while we incur $60 billion in annual cost. That makes perfect sense, right?
Why healthcare and hospitals? Willie Sutton would be able to explain that. Healthcare companies are notorious for their limited investments in cyber security and over half of surveyed healthcare providers admitted to not being prepared against IT attacks. In addition, 4 out of 5 healthcare executives in the US admitted that their IT has been compromised by hackers.
Aside from the inadequate cyber security programs of hospitals and health care institutions, one reason why cyber criminals use ransomware to force these companies to pay up is due to the nature of healthcare operations.
Hospital and healthcare providers need rapid access to patient data as well as a functional communications system. In addition, they like to be able to finish surgical procedures while the patient is still breathing. Thus these institutions are more likely to pay out instead of letting their operations be affected by Ransomware and soon Extortionware. Shutting down all the ORs would be a very simple way to generate a huge payday. Stand by for one of those in the next few months.
The number of cybersecurity engineers and analysts in the Washington D.C. beltway area is 350% more than the rest of the United States combined, yet the U.S. government Cybersecurity readiness is among the poorest in the world. What are all these people doing?
Spending to train employees on security awareness will exceed $10 billion annually by 2027, up from $1 billion in 2014 which may sound impressive but represents only a half a billion spend per year on one of the key necessities for defending against common Cybersecurity attacks. We could all be dead by 2027.
Wi-Fi and mobile devices will account for nearly 80 percent of IP traffic by 2025. Think about that. The least secure and most threat expansive technology will dominate corporate network traffic over the next eight years. We just now discovered that a WiFi exploit that takes advantage of several key holes in the WPA2 security protocol is rendering all mobile devices vulnerable. Microsoft immediately released a fix, but the point is that we have been running on this protocol for years and had no idea we were sitting on a trap door.
Bring-Your-Own-Device and mobile apps will continue to pose a major security threat to the enterprise over the next eight years. So what do we do? We invite more people to use their own devices.
Of course we do.
And I leave you with this one: Newly reported zero-day exploits will rise to one-per-day by 2021, up from one-per-week in 2015.
Have a great 2018 and don’t forget to keep smiling.