In his final budget proposal, President Obama is asking for an increase in spending on cybersecurity — $19 billion, which is $5 billion more than last year. The requested increase is a response to the rise in cybersecurity threats being made against government agencies.
The budget request follows a trend as we’re seeing more organizations bumping up their cybersecurity budgets. In fact, estimates are that cybersecurity spending will continue to rise, with expectations of more than $170 billion spent on security by 2020.
But is all this spending actually doing anything to improve cybersecurity? A new study from Venafi hints that perhaps much of that money is being wasted because it isn’t working on certain attacks. The problem, according to the CIOs surveyed, is that layered security defenses aren’t able to tell the difference between which keys and certificates should be trusted and which shouldn’t. A whopping 86 percent of those CIOs believe that stolen encryption keys and digital certificates are going to be the next big attack vector, which is a serious problem because, according to Information Age:
Enterprises rely on tens of thousands of keys and certificates as the foundation of trust for their websites, virtual machines, mobile devices, and cloud servers. The technology was adopted to help solve the original Internet security problem of knowing what is safe and private.
As Kevin Bocek, vice president Threat Intelligence and Security Strategy at Venafi, said in a formal statement:
Keys and certificates are the foundation of cybersecurity, authenticating system connections and telling us if software and devices are doing what they are meant to. If this foundation collapses, we’re in serious trouble. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private.
However, the ineffective security tools aren’t the only cybersecurity problem that money can’t fix. An Absolute Software study found that 45 percent of IT professionals are purposely ignoring their own security protocols.
So are we tossing away money on cybersecurity? No, of course not. Organizations need to continue to upgrade their security systems and do more to find ways to address potential threats. But it appears there needs to be a smarter approach to how that money is being spent and ensuring that the security systems and employees aren’t circumventing the protocols already in place.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba