Two new reports bring doom and gloom to the IT security industry this week:
– Okta Report Reveals 65% of IT Leaders Expect Serious Data Breach to Hit Their Business Within the Next Year.
– QinetiQ report reveals that lack of process and security culture are chief factors leaving firms open to cyber attack.
IT security experts from AlienVault, Lieberman Software and ESET commented below whether it really is all doom and gloom:
Javvad Malik, Security Advocate at AlienVault:
“Preventing security breaches is a bit like Zeno’s dichotomy paradox. In that it is a constant and ongoing process, which at best you only achieve 50%.
While updating legacy systems and implementing good security practices while working towards a better security culture are vitally important, there’s always a chance that an incident will occur. To that point, the fact that 65% of leaders expect to experience a breach is completely understandable.
However, security doesn’t stop when a breach occurs. One could argue that detecting the breach and responding is where the real security effort takes place and it is where companies need to focus.
To quote Mike Tyson, “Everyone has a plan until they are punched in the face.” Enterprise security teams need to prepare themselves like boxers that train themselves to get hit. Everyone gets hit – it’s the timeliness and the method in which they respond that matters the most.”
Philip Lieberman, President at Lieberman Software:
“The real statistics are heavily reduced outside the USA due to privacy laws and the lack of a real requirement to report a breach as well as total lack of information sharing. This has led to a catastrophic set up whereby internal security in most companies is horrible or non-existent. Training employees and appropriate policies are ineffective once an organization grows large because the statistics prove that at least one or more employees will make a mistake and allow an intruder in their environment on a regular basis. You cannot train your way out of statistics and human error.
There are technological solutions to minimize the number of breaches as well as their cost. Most organizations will not use these technologies under the theory that they are not a target, gathering the data would be a violation of law, any attack would be unstoppable (force majeure theory), or they can insure their way out of the problem.
The job of the CEO is to understand and manage risk as well as limit consequences. The problem within IT is horrible to a degree far beyond the report’s conclusions.
The culture problem is not with the employees or IT, it is with the CEO and Board of Directors who have not become aware of the risk and solutions to minimize consequences outside of the physical world and in the cyber security space. Training is a mostly ineffective solution for security. It all really comes down to the culture of the senior leadership to lead in cyber security, resiliency and minimizing outcomes from each breach to inconsequential numbers.
This is possible and regularly done within the United States among those that cannot suffer unlimited losses or hide from the daily problem. Imagine a day where IT reports daily breaches, losses and consequences, and the leadership keeps their technical team as well as offers the kudos for their hard works keeping things running even with regular breaches. This scenario is opposed to the senior leadership being randomly surprised by IT failures and seeks to discharge anyone reporting bad news. This collaboration exists in the USA, but is rare to non-existent in the rest of the world. Side note: BREXIT may bring this best practice to the UK and make it more competitive than the total security blindness of EU companies.
When we sell our solutions, we would rather not take the money if the company does not have the CEO on board and if the entire company is not ready to fix broken processes and rebuild network/identity boundaries for survivability. The fixes to improve outcomes are inexpensive, quick and reliable, but they only come from the C-Suite because only leadership can break the bad habits and designs of their business units.”
Mark James, Security Specialist at ESET:
“I think keeping up with the current threats and educating users in the type of threats doing the rounds seem to be one of the hardest goals to achieve in the world of malware defence. Malware mutates and adapts so quickly that it’s extremely difficult for any company to be expected to always be on top of it. As long as they take all the relevant measures and ensure they do as much as they can in keeping hardware and software up to date and patched to the latest versions then I believe they are doing all they can.
The problem is that quite often it takes scare tactics to get things moving; explaining worst case scenarios and listing the types of catastrophic events that “could” happen if nothing is done may well be the norm in this current era. The skill sets that a lot of these malware writers have are far superior than the average person using computers so sadly they will always be at risk.
But it’s not all doom and gloom, keeping your hardware (firmware) and software up to date along with practices like periodically reviewing your security policies and changing default passwords will go a long way in helping. A good multi-layered regular updating internet security product at the endpoint and ensuring your perimeter hardware is also protected will make life difficult for the opportunistic malware knocking at your doors.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.