Did Major Cyberattacks of 2017 Impact Security Budgets?
12.12.2017 securityweek Cyber
The Effect of WannaCry and NotPetya Outbreaks on Corporate Security Budgets is...Complicated
Despite common perception, the WannaCry and NotPetya outbreaks of 2017 have not -- at least, not yet -- had any marked effect on security budgets.
AlienVault surveyed 233 IT professionals globally to see how roles have changed following the high profile attacks of 2017 that many commentators assumed would act as a wake-up call for senior management. The results disprove this. Just 14% of the respondents have had their budgets for cyber security increased, and only a fifth (20%) have been able to implement changes or projects that were previously put on hold.
"WannaCry and NotPetya are generally believed to have marked a turning point in cyber awareness, but the reality on the ground paints a different picture," comments AlienVault security advocate, Javvad Malik.
The questions posed by AlienVault can loosely be described as three categories: did you get more quantifiable support from senior management; have attitudes towards security changed since the outbreaks; and how has your company reacted to the outbreaks? For the first, 70% of the respondents replied that the outbreaks have made no difference financially to their role; that is, WannaCry and NotPetya have not resulted in the expected security budget increase.
Similarly, there has been little change in attitude towards the security function, either internally to the organization, or externally in the wider marketplace. For example, less than 10% of boards have shown any greater interest in the security role, while more than 60% of respondents replied that the outbreaks have made no difference to the way they are viewed within their organizations. And while 7% of respondents have noticed an increase in new job offers since the outbreaks, 90% say they have made no difference.
Of the questions posed in this survey, two, however, show the practical effect of WannaCry and NotPetya on patching and posture. Two-thirds of the respondents say they are now more up-to-date with patching than they were before the outbreaks, while just one-third say it has made no difference. Further, 58% of respondents carried out a review of their organizations' security posture following the outbreaks (41% did not).
What isn't clear, however, is whether these actions were the result of board pressure or support, or simply the respondents taking their own action from within their existing budgets. The latter is implied by the apparent lack of reaction by boards shown in the other questions -- and this is further supported by a recent PwC survey.
PwC's annual Global State of Information Security Surveys question around 10,000 security professionals in more than 100 different countries. The 2017 survey found that UK security budgets (where firms and especially the NHS were badly hit by WannaCry) stood at around £6.2 million (double the previous year's £3 million average). The latest 2018 survey, announced after the WannaCry and NotPetya outbreaks in October 2017, shows the UK slashing average budgets back down to £3.9 million.
Surprisingly, however, both of these surveys seem to be in contrast to Gartner published only last week. Gartner's Ruggero Contu commented, "Overall, a large portion of security spending is driven by an organization's reaction toward security breaches as more high profile cyberattacks and data breaches affect organizations worldwide. Cyberattacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years."
Noticeably, Gartner increased its global security spend prediction for 2018 by $3 billion over an earlier prediction in August 2017; apparently on the expected effect of WannaCry, NotPetya and the Equifax breach.
Three major firms have now commented on security budgets in the last two months; all of them after the WannaCry and NotPetya outbreaks (with two of them specifically referencing those outbreaks). One (Gartner) says that budgets will increase because of the outbreaks; another (AlienVault) implies 'no change' despite the outbreaks; while the third (PwC) indicates slashed budgets in a country that was severely hit by WannaCry.
This discrepancy highlights the problem with all surveys and predictions. Each one is accurate, but only within the context of its delivery. Gartner based its forecast on the results of a 2016 survey where the highest percentage of respondents said that a security breach is the main security risk influencing their security spending. On this basis, security spend will undoubtedly increase.
The PwC figures covering the UK show a decrease in budget, but only after the previous year's rather dramatic increase; which, according to PwC, took the UK to "over one and a half times more than their global counterparts."
The AlienVault survey questioned a relatively low number of "233 IT professionals." We don't know where they are located, what size company they work for, nor their specific cybersecurity role. AlienVault decided to press-headline the survey results with "Cyber Threats Are Still Being Brushed Aside, Even After WannaCry and NotPetya". (The associated blog title is less dramatic: "The Impact of NotPetya and WannaCry".)
When challenged by SecurityWeek, Malik suggested that the AlienVault and Gartner results may not be so very different. Despite the headline, he told SecurityWeek, "Our results are not based on our opinion, but are the aggregated results of a survey from the Spiceworks community -- which may or may not be representative of the wider market. So, while only 14% have claimed that their budgets for cybersecurity have increased, the broader survey does show that over half of organizations carried out a review of their cyber security posture, two thirds are more up-to-date with patching, and half are using threat intelligence more."
One thing is clear from these differences: if you want to get an accurate picture of what is really going on, you need to look beyond the individual headlines.