The escalation of cybersecurity incidents and the investments that companies make in solutions just don’t seem to jibe, at least on the surface.

On average, companies deploy 47 different cybersecurity solutions and technologies, according to a study by the Ponemon Institute, which also found companies spend an average of $18.4 million annually on cybersecurity.

Yet, organizations continue to get hit—successfully—by attackers, some of them disruptive or destructive on the scale of SolarWinds or the Colonial Pipeline. Maybe that’s why most respondents in the Ponemon study don’t trust their investments to safeguard their organizations—fewer than half are confident that their tech and staffs can stop breaches, the report found, and 53% don’t know how well the cybersecurity tools deployed are working.

That begs the question: With all the money spent on tools and services, why does security keep failing?

While the usual culprits—limited budgets and staffing and a compliance checklist mentality—bear some blame, they don’t account for sometimes astounding failures. Ironically, technology—or, at least, advances in technology—might be part of the reason, too. Security just hasn’t been able to keep up with tech that has advanced wildly and, typically, it’s been bolted on after the fact, not baked in.

“The speed at which technical innovations are adopted in society and become critical to societal functioning far exceeds the speed by which risks can be analyzed,” says John Bambenek, threat intelligence advisor at Netenrich. “It took almost 20 years to (mostly) understand secure web application development and in that time we’ve created IoT/embedded systems, mobile computing and machine learning, all of which have in many ways forgotten the best practices other technologies have had for a decade.”

Spending on security may be misplaced as well. “The truly risky thing is that most organizations don’t use the right prevention tools, and when their detection tools discover the breach, the threat actor is already inside the organization. This is the only way to detect something: after it has started to act,” says Eddy Bobritsky, CEO at Minerva Labs.

Bobritsky points out that more than 95% of malware are evasive, using evasion techniques to evade security controls to avoid detection, and characterized by multistage attacks featuring ever-changing malicious code. “In the past 10 years, year over year more money is invested in endpoint security, and yet, year over year the number of successful ransomware attacks increases,” he says.

So-called tool sprawl is being “driven by a real lack of a strategic view by those people who are implementing tools,” says Bob Maley, CSO at Black Kite. “People tend to look for the easy button—what’s the easier way we can do this?”

By putting more dollars into digital transformations, organizations may have inadvertently exacerbated a tranche of security issues. “Investments in tech are steadily inching up; however, they are mostly being allocated toward accelerating digital transformation,” says Pathlock President Kevin Dunne. “Digital transformation often means decentralized purchasing of cloud-based technology, resulting in a disparate landscape of best-of-breed software with less oversight from security and IT.”

In some ways, Dunne notes, “this trend is increasing risk exposure, as these shadow IT assets are growing in number and difficult to discover and protect.”

People Matter in Security

The tech issues don’t diminish the role of humans, who experts say are at the heart of most security incidents. “Even with an increase in using more advanced technology, such as AI for stronger threat detection, we are still hearing about increasing data breaches, ransomware attacks and phishing schemes,” says Heather Paunet, senior vice president at Untangle. “In many cases, it is human error, not the technology that is failing. In fact, it’s been reported that 95% of cybersecurity breaches are caused by human error.”

In fact, Untangle’s “2020 SMB IT Security Report” found that a quarter of respondents identified employees who don’t follow the rules as a barrier to IT security.

That’s unfortunate because that makes them even more susceptible to increasingly sophisticated attacks that take unexpected twists and turns. “Threat actors use evasive ways to gain a foothold in an organization’s network, and their evasive ways enable them to keep under the radar for detection tools while they can live inside the organization network for a long time, stealing the necessary data,” says Bobritsky. “In the past, most of the attackers waited only for the right moment to encrypt the data and ask for ransom, but now they are using stolen data for business purposes or for asking for higher ransom with the threat of publishing the sensitive data.”

Some attackers “use malware that can wander around the internet for a while until they find themselves in a place they can be triggered,” he adds.

Others aim attacks on specific businesses, plying weaknesses including remote connection, emails with malicious files or even using legitimate software against a wide variety of organizations, from finance to manufacturing.

Doing Security Better

Despite the monumental and growing threats against them, however, organizations can increase the odds that their security won’t fail in the face of increasingly sophisticated and frequent attacks. “They put dependence on compliance and controls and they don’t do the No. 1 thing they should be doing,” says Maley. “And that’s looking to things— looking inside their networks to see if the bad actors are there and looking outside their networks to see how bad actors look at them and how they’re going to try to get in.”

There are specific tried and true actions security teams should take as well. “It is imperative that IT administrators follow best practices as well as training their employees to do so,” says Paunet. “For example, in the Pulse Secure attack, not only did attackers find and exploit the newly discovered vulnerability, but they were also able to exploit three further vulnerabilities by looking for organizations that had not followed best practices to keep software up to date.”

Pulse Secure had already addressed those other vulnerabilities and they “would not have been exploitable if the organizations had upgraded their systems,” she says.

Paunet recommends that companies take the following steps to combat failings and strengthen their network security:

  • Require the use of VPN technologies for remote workers.
  • Follow strict onboarding and offboarding as employees join and leave a company to ensure access is only given if needed and revoked immediately as they leave.
  • Segregate network access to ensure employees are only given access to the systems that they need.
  • Continuously train employees. As security adversaries find new ways to infiltrate networks, keeping employees trained will strengthen your network security.
  • Keep up on the latest technologies by keeping all systems up to date on the latest version.
  • Deploy multiple security layers of protection. If a bad actor does get through the strongest barriers, having multiple security layers provides protection to help isolate the threat and minimize the impact.
  • Upskill current employees to retain current talented workers and keep their skills one step ahead of cybercriminals.

Reducing the time to detect and contain a breach is critical, as well. According to White Hat Security’s “AppSec Stats Flash” report, the window of exposure for apps is increasing across most business sectors. In utilities, the average time to fix a critical vulnerability reached an all-time high of 197 days this spring.

“The industry should adopt a new approach and technologies, scalable, that are built to prevent modern threats before any damage has been done, at the beachhead stage—solutions that will enable organizations of any size to deal with modern cyber threats regardless of their team’s size, skill set and toolset,” says Bobritsky.

But real change and success will come when security is no longer an afterthought.

“It isn’t until we cook in security from the beginning and come to terms that the people developing these technologies have some liability for the risks that they insist others accept will we ever see any meaningful change,” says Bambenek.