According to the RRT and Yandex Cloud report, in 2023, more than half of Russian companies increased their spending on information security development by an average of 20%. It sounds cool, but it leads to a dangerous misconception: it creates the impression that all companies are improving cybersecurity to a similar extent. In reality, one part of the companies invested 200-300% more, another did not change their budget, and a third even reduced expenses. The arithmetic average may fluctuate around 20%, but this figure has no connection to real security.
This is confirmed by both our observations – in 2023, we identified leaks of over 140 million records of organizations’ account data – and public statistics. In the first months of 2024, data from 170 companies was leaked, which is 40% of all leaks in 2023. How is this possible: budgets are increasing, but security seems not to be improving? There are three main reasons.
The first reason is that employees of companies remain the weakest link. People often do not even have basic knowledge in the field of cybersecurity, and employers do not strive to correct this. Therefore, many incidents occur due to incorrect data access policies, social engineering, where hackers extract the necessary information from employees, blackmail employees, etc. Classic software products do little to solve all these problems, security is ensured only at the level of the company’s culture.
The second reason is that problems are still being attempted to be solved with money. Even if every company in the country gives its CISO (Chief Information Security Officer) an unlimited budget to purchase the most expensive set of solutions (often not as effective but profitable for a specific CISO: corruption has not been canceled), this will not make the infrastructure invulnerable.
Cybersecurity is a constant battle of armor and ammunition. While hackers are looking for new ways to attack, defenders are adapting by developing new classes of products. Victors are not the owners of the most expensive solutions, but those with the best expertise and the ability to realistically assess risks. The problem is that CEOs often prefer to hire “just anyone” instead of buying cybersecurity as a service from an experienced company. This is what leads to hacks and data leaks.
The third reason is staged penetration tests. Penetration testing is a reliable cybersecurity audit tool. But there is a problem: by law, the vendor must obtain permission from the client for hacking. And when CISOs issue such permissions, they require all actions to be coordinated with them and even conduct an attack in a “sandbox”. Therefore, the supplier is forced to conduct a staged pentest, which has little to do with reality. As a result, management reports “everything is fine” until real hackers come and take everything they want, and then encrypt the infrastructure for ransom. Real hackers break in at inconvenient times, without warning, and target the weakest point, often through the victim’s contractor, rather than directly.
The good news is that the most advanced companies are starting to understand that “business as usual” does not work. And that the best way to defend is to pentest their business 24/7, really, and send the audit results to the CEO’s desk. This is not a panacea. But transparency is the first step in the right direction. And action must be taken faster, because the price of mistakes will soon include not only reputational losses, but also significant financial losses: not a 30,000 ruble fine, but up to 3% of annual revenue.