WASHINGTON - The recent epidemic of cyberattacks has led to greater investment and spending on security, but fears are rising that hackers are gaining the upper hand, a study showed Wednesday.
A Rand Corporation study based on a survey of company chief information officers said rising concerns from high-profile incidents have made cybersecurity a priority for many organisations.
The authors cited prior research showing worldwide spending on cybersecurity is approaching $70 billion (S$94 billion) per year and growing at 10 to 15 per cent annually but said that "it would be an understatement to say organisations are dissatisfied with their security."
"Companies know what they spend on cybersecurity, but quantifying what they save by preventing malicious attacks is much harder to tally," said Lillian Ablon, a Rand researcher and co-author of the report.
"Cybersecurity is a continual cycle of trying to eliminate weaknesses and out-think an attacker. Currently, the best that defenders can do is to make it expensive for the attackers in terms of money, time, resources and research."
The researchers found that the effect of a cyberattack on reputation - rather than direct costs - caused the most concern for chief information security officers.
The report in coordination with Juniper Networks said the cost of managing cybersecurity is set to increase 38 per cent over the next 10 years across all businesses - largely from investment in tools and training, and dealing handling the use of personal devices such as smartphones which connect to corporate networks.
"One of the most challenging issues facing companies is the countermeasures attackers use to evade defences," the report said.
"Attackers are constantly developing countermeasures to new security technologies, which limits the relative effectiveness of those tools over time and requires companies to invest in new technologies to take their place."
Shrouded in secrecy
The researchers said evaluating cybersecurity is difficult because so much is shrouded in secrecy. Despite the wave of attacks that have become public in recent months, the methods used by hackers use to infiltrate systems and countermeasures are often kept private.
The report noted that "cybersecurity is a hard sell, especially to chief executives" but that there is now greater focus on security measures.
"Despite the pessimism in the field, we found that companies are paying a lot more attention to cybersecurity than they were even five years ago," said Martin Libicki, a co-author of the report.
"Companies that didn't even have a chief information security officer five years ago have one now, and CEOs are more likely to listen to them."