Getty Images/iStockphoto
91% of Orgs Expect to Increase Cybersecurity Budgets in Next Year
Surveyed security leaders are prioritizing investments in the latest tools, but technology alone cannot mitigate ransomware risk.
As ransomware continues to impact organizations worldwide, cybersecurity leaders are increasingly recognizing the importance of investing resources into improving their security programs and processes. More than 90 percent of surveyed cybersecurity leaders and decision-makers from a variety of industries reported plans to increase security budgets in the coming year, Fortinet found in its 2023 Global Ransomware Report.
Leaders reported prioritizing investment in artificial intelligence (AI) and machine learning (ML) to enhance threat detection, as well as Internet-of-Things (IoT) security tools, next-generation firewalls (NGFWs), and endpoint detection and response (EDR) and security email gateway (SEG) technologies.
Increased budgets show that C-suite leaders are increasingly recognizing the importance of cybersecurity. However, dedicating budgetary resources exclusively to tools and technologies may not address key security shortcomings.
“Interestingly, while many security leaders have traditionally believed that buying the best individual product for a project will yield the strongest cybersecurity posture, this year’s survey data indicates that those organizations that reported taking a point product approach were the most likely to become a victim of ransomware,” the report noted.
“However, technology is only part of the solution. The survey found that four out of the top five challenges in preventing ransomware were related to people and processes.”
Despite 78 percent of surveyed leaders describing their organizations as “very” or “extremely” prepared to tackle a data breach, half of the surveyed organizations still suffered ransomware attacks in the past year. What’s more, 71 percent of respondents said that they paid at least a portion of the ransomware demand.
Of all the surveyed organizations that fell victim to ransomware in the past year, phishing remained the most common tactic. Phishing attacks are commonly used against healthcare organizations and other entities to trick employees with malicious links and gain network access.
“One of the most surprising findings from Fortinet’s previous survey was that the top method of entry in 2021 was email phishing, yet only a third of organizations reported plans to improve that defense,” Fortinet observed.
Even so, the results showed that leaders are investing in a wide range of tools that target a variety of potential vulnerabilities. But the report also stressed the importance of investing in technology that streamlines and improves processes, rather than overcomplicating them.
While 45 percent of respondents said they were using a mix of security platforms and point products, 36 percent said that they continue to only buy “best-of-breed” point products.
“As a result, many security teams end up spending a great deal of time managing individual products deployed over time and struggling to get their collection of technology to operate together effectively,” the report reasoned. “And such manual processes can hinder a security team’s ability to gather the right data and promptly respond to a ransomware incident.”
If organizations take a “less is more” approach to security investments, they may be able to reduce redundancies and inefficiencies and devote more time to improving their overall programs. Employee security training and thoughtful process improvements will go a long way, the results suggested.
“According to the Fortinet research released today, though three out of four organizations detected ransomware attacks early, half still fell victim to them. These results demonstrate the urgency to move beyond simple detection to real-time response,” John Maddison, EVP of products and CMO at Fortinet, said in an accompanying press release.
“However, this is only part of the solution as organizations cited the top challenges in preventing attacks were related to their people and processes. A holistic approach to cybersecurity that goes beyond investing in essential technologies and prioritizes training is essential.”