Myth 2: There’s no reason to invest in security when organisations with tight security controls still experience security breaches.
Some organisations rationalise a small cyber security budget by arguing that investing in security is a losing game. They hear about security breaches at large organisations, with presumably large cyber security budgets, and assume if these organisations can fall victim, then what chance does their organisation have?
Tools are just one pillar of a solid security strategy, people and process are equally important. An organisation allocating budget toward security might not be focussing it to the most effective areas. An organisation can have a big budget for tools but if it lacks the right cyber security talent or its processes are faulty, it can still get hit.
Research has illustrated how long it can take before an intrusion is detected. The time taken by firms to detect breaches increased by 40 per cent from 2016 to 175 days on average in 2017, according to the latest M-Trends report by security firm FireEye. Organisations that invest in reactive security controls, in combination with proactive security controls such as Intrusion Prevention Systems (IPS), may identify suspicious behaviours earlier and limit the damage.
Organisations that shrug off tight security controls are focusing solely on the immediate effects of infiltration, not on the total cost of the security incident. Granted, security controls are not 100 per cent effective at detection and prevention, but they can save significant time and money during each of the subsequent incident response stages: analysis, containment, eradication, recovery and post-incident activities.
Source: IT Portal