This great infographic from information is beautiful does a great job at representing this.
According to the European Union Agency for Network and Information Security, the loss from
cyberattacks in the EU alone ranges from €1.6 - 10.8 million/year per organization or €208 billion/year
(1.6% of GDP) across the financial, ICT, transportation, critical infrastructure and services (healthcare,
government and energy) sectors.
In an attempt to minimize loss, businesses spend significantly more resources on reactive security than
proactive security measures. This means they focus their time and money on trying to keep their software
vulnerabilities from being exploited as opposed to preventing these vulnerabilities from existing in their
code in the first place. Proactive security is the only realistic and truly effective strategy to get ahead in
the race against cybercrime.
According to a recent Gartner report, 90% of companies consider cybersecurity to be an afterthought and
their control strategies are focused on ‘firefighting’ if those attacks do occur, as opposed to preventing
them. This suboptimal strategy causes enormous loss derived from cyberattacks, since remediating a
defect when software is already deployed in production can cost 95× more than in previous stages. Not
only that, but it involves system downtime, damages to your brand, loss of customer trust, and even
liability costs.
Lack of understanding
An obstacle for adopting a more proactive approach for software security is the lack of adequate training
of IT personnel. As a chilling illustration, the most common kinds of software vulnerabilities in 2007 and
2017 compiled by OWASP are largely the same, suggesting a significant lack of understanding of security
issues among software developers and an overall failure of education. Since security is defined as the
absence of vulnerability, an abstract notion, developers must understand vulnerabilities to avoid making
the underlying mistakes.
Furthermore, there is a lack of training both for security-specialized personnel as well as for general
users. Companies and administrations are aware of the importance of having an effective security policy
and well-trained staff, but how to apply them to improve the security level is an unanswered question that
has been addressed as one of the main challenges in cybersecurity by the European Commission [4].
This inconsistency has formed a gap between security policy and their proper implementation within
companies.
Conventional training is not enough
The best strategy to counter cybercrime lies not in technological security solutions, but rather well-trained
individuals who understand security threats as well as their adversary’s mindset and can adapt to new