Firms are shifting their cyber security spend away from traditional Prevent & Protect approaches towards Detect & Respond operations, according to a new study by the analysis and consultancy company Pierre Audoin Consultants (PAC). The new research found the shift in spending is due to a realisation that cyber attacks are inevitable.
The study questioned 200 people from companies with more than 1,000 employees in the UK, France and Germany, which together account for 60% of the Western European cyber security market. The study was supported by FireEye, HP, Telefonica and Resilient Systems.
Key findings of PAC’s research include:
- Firms spend 77% of their security budgets on a traditional Prevent & Protect approach using end-point solutions and firewalls.
- Spend is moving towards the post-breach Detect & Respond capability: which accounts for 23% of spending today but will grow to 39% in two years, the survey found.
- This shift is in response to growing cyber security threats. 67% of firms experienced a breach in the last year, and 100% have been breached at some time in the past.
- Firms struggle to identify cyber breaches, and 69% take between one and six months to discover an attack. The costs of a breach are increasing with an average of
- €75,000 of direct spend being incurred, as well as loss of business and reputation. Most firms also need between one and six man months to recover from a breach.
As the cost of cyber breaches continues to rise, firms are looking to external provision of Incident Response in order to reduce costs and access the required expertise quickly.
“Firms are coming to terms with the inevitability of a cyber breach,” said Duncan Brown, Research Director at PAC and lead author of the study. “Rather than spending a majority of security budget on prevention, firms will apply a more balanced approach to budgeting for cyber attacks.”
Firms also need to address their readiness for cyber breaches. “We saw that 86% of firms think they are prepared for a cyber breach,” added Brown. “But 39% don’t have a cyber readiness plan, suggesting that some firms are in denial, or ill-informed, as to the true status of their readiness.”
The study sponsors confirm PAC’s view
“Cyber attacks have become increasingly personalised resulting in many more organisations being compromised with a much greater business impact,” commented Greg Day, EMEA VP & CTO, FireEye.
“This shows that companies can no longer afford to focus solely on defence – they need to also balance it with incident response. But are businesses actually prepared? The study shows there is a misalignment today between businesses confidence to respond to a breach and their actual capabilities. The predominant gap is people skills which typically is not a quick fix. The proposed requirements being discussed in EU legislation for notification will be a significant challenge for many to achieve.”
“Keep in mind as defenders, we have to be right all the time and attackers just have to be lucky once,” said Arthur Wong, senior vice president of Enterprise Security Services at HP. “In today’s threat environment, it is no longer a question of ‘if’ you will be attacked, but ‘when’ and how you respond to the inevitable breach can have lasting consequences on your business and your brand’s reputation.”
Outsourcing of Incident Response is the norm
In contrast to most firms’ resourcing of cyber security, Incident Response provision by third-parties is the norm, according to the study. “69% of firms use external resources to respond to a cyber incident,” said Brown. “This use of third-party Incident Response services is a long-term strategy, as firms plan to bring in specialists when the need arises.”
Most CISOs (Chief Information Security Officers) worry about outsourcing security because they perceive a loss of visibility and control. “With Incident Response it’s better to have an external resource standing by, possibly on retainer, than divert internal staff from their core responsibilities when an attack occurs,” Brown continued. “A cyber breach may be inevitable but the nature and timing of an attack is unpredictable.”