Global survey reveals why incremental cyber security fixes don’t work

Snapshot: Organizations don’t need more security products, they need more secure products. That’s one of the key takeaways from our new global cyber security survey. The research reveals that incremental security fixes no longer work. In fact, the more security tools an organization throws at the problem, the worse it gets. And while 82% of security decision-makers acknowledge the need to improve security measures, over half admit that the complexity of modern work environments hinders their efforts. Furthermore, 59% confess that their reliance on outdated technology leaves them ill-equipped to handle future security needs. Download the full research report for a deeper dive.

Who we surveyed

• 2,025 business, IT, and security decision-makers across the US, UK, Brazil, and India

• Organizations with a range of sizes, but all with 300+ employees

• A mix of industries, regulated and non-regulated

More security tools, less actual security

Over two-thirds of organizations are investing more time and money than ever before in securing their environments — but they’re still experiencing a barrage of costly incidents. Paradoxically, those organizations using 10+ security tools report a higher frequency of security incidents while incurring greater costs.

Explaining the paradox

How is it possible that organizations spending more money on more security tools see a higher number of security incidents in a year? Without a modern and secure-by-design solution, organizations are forced to adopt a piecemeal approach, launching ever-more tools to fight a virtually unwinnable war that has deeper, systemic roots.

“People will throw money at the same thing to have multiple layers. I hear from my colleagues and customers, ‘We’ve tried throwing so much money at it, and we’re not actually helping the problem.’ They’ll throw money at some really expensive platform, but then they don’t have a password manager for the team. It’s like spending money on ballistic windows, but your door is wide open.” — Rachel Tobac, CEO of SocialProof Security

More of the same isn’t working

Security decision-makers are feeling the pressure in this new landscape, with 93% expressing worry about security incidents. Their anxiety stems from a multitude of sources, including vulnerabilities, external attacks (like data breaches and generative AI attacks), and user negligence, both intentional and accidental.

But despite their anxiety, a reliance on incremental changes to tackle a deeper and more systemic problem is proving insufficient and, in many cases, actually weakens their security posture. While 82% of security decision-makers acknowledge the need to improve security measures, over half admit that the complexity of modern work environments hinders their efforts. Furthermore, 59% confess that their reliance on outdated technology leaves them ill-equipped to handle future security needs.

Confidence doesn’t equal security

The same decision-makers who say they are confident in their organizations’ security posture routinely deploy tools and approaches that expose them to increased risk:

• Only 56% say they follow IT policies

• Nearly half (44%) believe unlicensed tools are “completely safe”

• Two-thirds (63%) report that unlicensed gen AI tools are used on a weekly basis

This disconnect between perception and practice exposes organizations to significant security risks. As Dr. Joshua Scarpino, CEO of Assessed.Intelligence, points out, "Organizations don't always understand how risks evolve with new technologies, which can present challenges for security leaders because they're always playing catch-up."

Securing the future demands a new approach

The evidence from our research is clear: Organizations don’t need more security products, they need more secure products. If they’re going to stave off a barrage of sophisticated attacks in the future, they need to move away from outdated solutions and approaches that were designed for the desktop era. They need to embrace secure-by-design solutions that address the modern threat landscape and the way we work now. 

What does secure-by-design mean? It means embedding security into every phase of the software development lifecycle — not just at the beginning or the end. It also means designing solutions with a modern architecture that nullifies classes of attack vectors and vulnerabilities. A few examples of modern, secure-by-design products that inherently reduce risks for businesses:

• With AI-powered defenses, Gmail blocks more than 99.9 percent of spam, phishing attempts, and malware from ever reaching users’ inboxes.

• ChromeOS has never had a reported ransomware attack. ChromeOS includes features like verification at boot, a read-only OS that blocks executables, data encryption, sandboxing, and more.

• Chrome Enterprise has built-in Safe Browsing to keep users protected in real time by showing a warning message before they visit a dangerous site or download a harmful file. 

We believe that it’s time for a more secure approach. For a deeper dive, download the full research report. 

And if you’re ready to explore how to work safer with Google Workspace, contact sales to start a conversation, or take a closer look at our security approach.