Three Security Fallacies that Still Persist Today



These three misbeliefs are still causing problems for security programs today. Is your security strategy based on any of them?

Subscribing to common security misconceptions can hamper the efforts of even the most capable security teams. With that in mind, here are three security fallacies that should be ignored for a more effective security program.

Prevention is Impossible

In security circles, it is now generally accepted that all organizations have been compromised, meaning “bad stuff” is already on your networks and/or endpoints. That acceptance has caused many to give up on the idea of preventing more bad stuff from getting in and instead shift their focus to detection – the theory being that if you find and inoculate the bad stuff fast enough, the damage will be limited. But the reality is that prevention is still very possible.

Several published reports find that malicious hackers are getting into networks far too easily, using simple tactics like attacking known vulnerabilities that should already have been patched or using targeted spear-phishing emails that are easy to detect. More attention must be paid to basic security hygiene. If organizations are doing the basics of prevention – for example, using the latest and most secure versions of web browsers and other common software – most hackers will move on to easier targets.

Every Attack is Sophisticated

Read the public statements from the leader of any recently hacked organization and you’ll see a statement along the lines of “…the hack was unprecedented in nature, leveraging sophisticated and previously unknown tactics that were undetectable by industry standard security solutions.” This is FALSE!

Most attacks are basic and blunt, leveraging script-kiddy type tools that lack any “intelligence.” The web is fraught with noise from continuous and less-than-sophisticated attacks. Time is too often wasted searching for traces of sophisticated avenues of attack from the elite hacker, while ignoring things like weak admin passwords on sensitive data repositories.

Data Loss is Inevitable

It is now widely accepted in IT security circles that network and system breaches are inevitable, largely because IT budgets simply aren’t big enough to address every single security vulnerability in the network. But the fact that some cyber criminals are making it through the door doesn’t mean they should be able to walk out with the crown jewels – the sensitive business data – tucked under their arm.

Companies absolutely can protect their most sensitive information and prevent it from theft. There are proven methods available today that specifically address data loss. So while attacks on network and system may be inevitable, data loss is not.

Greg Funaro

451 Research: The DLP Market by the Numbers

Get the 451 take on the resurgence of the DLP market, with projections for market growth over the next five years and the top security challenges for 2016.

Download the report

Related Articles
Optimizing Your Data Protection: Part One

This two-part series features Q&A sessions with Tony Themelis, VP of Product Strategy at Digital Guardian, on how organizations can optimize their data protection programs. Here’s the first installment.

Left of Boom: The Importance of Protecting Critical Data

Identifying your ‘crown jewels’ is a key step in modern risk management. It’s also much easier said than done.

Could you pass a security audit? Take our security audit readiness assessment to find out

Test your level of preparedness for a security audit with this interactive assessment.

Greg Funaro

Greg Funaro is the Director of Corporate Communications at Digital Guardian.

Please post your comments here