A study released Wednesday suggests that despite the growing time and resources companies spend on cybersecurity, they’re at best keeping even with the hackers and may in fact be losing ground.
Hackers, the study said, are becoming more skillful and their tools more effective, and the market for their stolen information is flourishing.
The study, conducted by the RAND Corporation, was based on extensive interviews with 18 chief information security officers or CISOs — traditionally the top cybersecurity position in corporate organizations — as well as a review of current cybersecurity products on the market.
The authors of the study, “The Defender’s Dilemma: Charting a Course Toward Cybersecurity,” conclude that worldwide corporate spending on cybersecurity now nears $70 billion annually and is on track to grow at a rate of 10 percent or more each year.
Despite that investment, report authors say, CISOs are relatively pessimistic about their battle against cyberattacks and believe that hackers may in fact gain the upper hand in a matter of a few years.
That last finding was among several that report authors suspected even before the study was conducted. Other initial preconceptions that were confirmed were that larger businesses often had more options for strengthening cybersecurity than smaller ones, and that walling off specific parts of corporate computer systems from the Internet can help guard against attack.
Among the more surprising findings for the report authors was that CISOs often view the greatest damage caused by cyberattacks to be on a corporation’s reputation, rather than the actual stolen data or intellectual property.
“The bedrock of cybersecurity is good system software,” the authors wrote. “Companies often find themselves having to invest in defensive measures because foundational systems and software are unsecure. The security and solidness of the actual software helps to prevent attackers from gaining a foothold on a network.”
The report said that recent high-profile data breaches at Sony Pictures Entertainment, Anthem Insurance and many other private firms have paradoxically strengthened corporations’ cybersecurity posture, because corporate boards are taking the issue much more seriously.
“Core software is improving, and cybersecurity products are burgeoning,” the authors write. “The combination is likely to make the attacker’s task more difficult and more expensive — which will not solve the problem, but will make it more manageable.”
Several recent studies have shown that many companies are more worried about the damage to their reputations from cyber attacks than the actual loss of intellectual property or other valuable information.
A previous study by the Ponemon Institute says the most costly cyber crimes include attacks by malicious insiders and "denial of service" attacks that overwhelm a firm's computer systems. The Ponemon study also says the longer such attacks continue, the more costly they become, with business disruption the largest expense.
Ponemon Institute founder Larry Ponemon said the problem of cyber attacks is huge and getting worse at an “exponential” rate. In a VOA interview, he said such attacks had already put some small and medium-size companies out of business, and that it was “just a matter of time” before a large firm, like Target, is closed by cyber issues.
A separate report Tuesday from the Standard & Poor’s rating agency says global business losses from cyber attacks may run as high as $400 billion per year.
S&P says it evaluates how management handles all risks, including this complex and growing one, as it determines credit ratings. The rating agency says some insurance companies offer protection for financial losses due to cyber attacks, but that the field is so "fluid" and unpredictable that insurers are having difficulty judging how to evaluate risk and price their products.
Ponemon said insurance protection against cyber attacks is getting better but has a “long way to go.”