Enterprises Increase Security Spending but not Efficacy

One of the constants in cybersecurity is that wherever there is a breach there is a high probability that there’s a stolen credential involved. With that perspective in mind, a recent report by security vendor Pulse Secure and the CyberRisk Alliance shows that enterprises are underestimating the importance of the role of credentials in breaches.

According to the, just over half of those organizations surveyed (52%) considered phishing attacks or ID and credential theft as the top concerns in Q3 2020. Further, 38% of all of those surveyed said they experienced unauthorized or improper resource, application or data access.

According to the findings in the third quarter of 2020, North American cybersecurity spending remained flat quarter over quarter, but North American organizations allocated more of their spending toward reactive measures rather than proactive security controls. Comparatively, European organizations surveyed increased security spending and focused more on proactive security controls.

The report also measured security effectiveness metrics based on the Cybersecurity Resource Allocation and Efficacy (CRAE) Index, which was created by the CyberRisk Alliance. The CRAE index attempts to quantify the focus and direction of an organization’s cybersecurity activities. A CRAE score of greater than 50 shows an increase in spending or efficacy and those with a score of less than 50 points to a decrease in cybersecurity spending and efficacy.

Broadly, IT security spending increased to 66.7 in the third quarter compared to the second quarter, according to the report. Interestingly, organizations didn’t necessarily get a boost in security effectiveness with that spend—overall efficacy dropped to 74.2 in the third quarter from 75.8 in the prior quarter.

There were considerable differences in the CRAE score among several industries. Health care, for instance, accelerated its spending in the third quarter by 5.8 points to reach 69.6 points. The growth was based on an increase in cybersecurity training and awareness programs, developing processes to secure digital and physical assets, and purchasing or implementing cybersecurity technology, according to the CyberRisk Alliance. “Healthcare industry respondents highlighted budgetary constraints, a trend continuing from Q2, as their primary challenge to combat rising threats and address elevated risks from untrained staff and employee carelessness with highly sensitive data,” the alliance noted in a statement about the report.

Likewise, security spending in the financial services industry fell to 67.4 from 68.2 in the previous quarter. Efficacy also fell by 3.2 points in the quarter. Manufacturing spending, however, increased 1.2 points to reach 67.8 and efficacy increased 2.3 points to reach 75.1. “Work from home requirements due to the pandemic impacted manufacturing firms, with many respondents indicating positive changes to improved security policies within their organizations,” the CyberRisk Alliance said in its statement.

The CRAE index is based on surveying 300 businesses, IT and cybersecurity professionals who work at organizations with 500 employees or more. The organizations operate within the healthcare, financial services, manufacturing and high-tech/business services industries in North America and Europe. The index is based on NIST’s five-point cybersecurity framework—identify, protect, detect, respond and recover.

It’s great to see organizations increasing their security spending, but it’s also essential that they spend in ways that will effectively increase their ability to defend themselves.