Vanta: Cybersecurity spend should be 30% of the IT budget

Currently it's 9% in the UK

Cybersecurity is a numbers game. Cyber teams are barraged by hundreds, thousands or even millions of attempts to crack their systems every day. Fortunately most of these are basic and easily dealt with by filters, but it only takes one of the more sophisticated attempts to get through to spell trouble.

Speaking at a media roundtable in London last week, Sarah Armstrong Smith, chief security advisor at Microsoft, revealed that the company blocks 250,000 password attempts a minute. That's 360 million per day. Of course, Microsoft is a huge global corporation with millions of customers, but then again, if only a tiny fraction of these attempts succeed, perpetrators can make a very comfortable living at the expense of their victims. As indeed they do. And password spraying is just one of many different attack vectors at their disposal.

Armstrong Smith was armed with more worrying statistics. For example, more than 50% of all criminal activity in the UK is related to cyber or fraud, but only 1% of police resources are allocated to deal with this class of crime. "Cybercrime is this invisible world, it's not very visible to the public in terms of what is reported to the police," Armstrong Smith said.

'Identity-based fraud and crime is going off the scale' Sarah Armstrong Smith, Microsoft

The vast majority of the cybercrime (80-90%) involves identity-based attacks, including phishing and business email compromise (BEC). "Identity-based fraud and crime is going off the scale," she said.

Minimal chance of recompense

As well as being out of the public eye, fraud cases are notoriously complex and expensive to solve, often crossing jurisdictions and requiring evidence that is very difficult, and expensive, for law enforcement to obtain. This makes cyber and fraud low-risk activities for criminals. Drug gangs around the world are moving into cyber, as there is a lower chance they will be caught.

Unlike identity-based fraud ransomware is in the public eye, but the common perception that only large organisations are targeted is incorrect. Eighty to ninety percent of victim are small businesses, Armstrong Smith said, in part because they lack the tools and expertise to defend themselves. Again, the perpetrators are unlikely to ever be brought to justice.

Added to this, nation state actors are increasingly willing to target businesses, organisations and infrastructure of their adversaries.

Since prosecuting cybercrime is so difficult, victims' chance of recompense through courts is limited. This puts even more impetus on prevention.

Vanta: Cyber spend should be 30% of the IT budget

But, cyber teams are struggling to keep up as it is. According to Jadee Hanson, CISO at trust management platform Vanta, only 9% of UK organisations' IT budgets are spent on cybersecurity. This figure, based on a survey of 500 businesses, is far from being commensurate with the risk, she said.

"It's not enough at all. I would recommend a 30% target."

Cyber teams are well aware of the risks, she said, but the challenge is getting the board to understand. "They're just bumping up the constraints of the business. Trying to justify spend for something that might happen one day is hard when [the board] want to see the return on investment. They're saying, ‘I could just give those dollars to a sales team and they'd make six times that'."

One way to drive cybersecurity up the agenda is to build metrics for compliance and risk management into the sales process, said Simon McDougall, chief compliance officer at market intelligence platform Zoominfo. "We want to be able to give evidence that we've shortened the sales cycle and accelerated the process, so we're always looking at how we can get involved in a sale."

This might include the compliance or security department offering advice to a large corporate client, or providing detailed data under NDA for a fee or to support a sale.

"In that way we're helping with the top line rather than trying to prove a negative, which is always hard," McDougall added.

"When [your organisation is] funding security you're protecting growth," added Hanson. "But if you can put the data and the controls in front of the customer, you're advertising that you have these protections in place, and that can make the process a whole lot smoother."

On its own, this will not be sufficient to boost security from 9% of IT spend to Hanson's suggested 30%. But it is one way to "shift left" across the business to counter the growing tide of threats, building security into all operations rather than seeing it as a separate concern.