Three Security Fallacies that Still Persist Today

These three misbeliefs are still causing problems for security programs today. Is your security strategy based on any of them?

Subscribing to common security misconceptions can hamper the efforts of even the most capable security teams. With that in mind, here are three security fallacies that should be ignored for a more effective security program.

Prevention is Impossible

In security circles, it is now generally accepted that all organizations have been compromised, meaning “bad stuff” is already on your networks and/or endpoints. That acceptance has caused many to give up on the idea of preventing more bad stuff from getting in and instead shift their focus to detection – the theory being that if you find and inoculate the bad stuff fast enough, the damage will be limited. But the reality is that prevention is still very possible.

Several published reports find that malicious hackers are getting into networks far too easily, using simple tactics like attacking known vulnerabilities that should already have been patched or using targeted spear-phishing emails that are easy to detect. More attention must be paid to basic security hygiene. If organizations are doing the basics of prevention – for example, using the latest and most secure versions of web browsers and other common software – most hackers will move on to easier targets.

Every Attack is Sophisticated

Read the public statements from the leader of any recently hacked organization and you’ll see a statement along the lines of “…the hack was unprecedented in nature, leveraging sophisticated and previously unknown tactics that were undetectable by industry standard security solutions.” This is FALSE!

Most attacks are basic and blunt, leveraging script-kiddy type tools that lack any “intelligence.” The web is fraught with noise from continuous and less-than-sophisticated attacks. Time is too often wasted searching for traces of sophisticated avenues of attack from the elite hacker, while ignoring things like weak admin passwords on sensitive data repositories.

Data Loss is Inevitable

It is now widely accepted in IT security circles that network and system breaches are inevitable, largely because IT budgets simply aren’t big enough to address every single security vulnerability in the network. But the fact that some cyber criminals are making it through the door doesn’t mean they should be able to walk out with the crown jewels – the sensitive business data – tucked under their arm.

Companies absolutely can protect their most sensitive information and prevent it from theft. There are proven methods available today that specifically address data loss. So while attacks on network and system may be inevitable, data loss is not.

Greg Funaro

451 Research: The DLP Market by the Numbers

Get the 451 take on the resurgence of the DLP market, with projections for market growth over the next five years and the top security challenges for 2016.

Download the report

Related Articles
Health and Human Services Raises Bar for Risk Analysis with latest HITECH Rules

Organizations will need to match features to security mitigations in qualifying electronic health records systems.

Take the Patients and Run

Forget identity theft, an incident in Arkansas shows that plain old competition is behind at least some medical data theft.

The Evolution of Authentication and Identity Management: A Q&A with Duo's Wendy Nather

Wendy Nather discusses the evolving consumerization of security and how it affects the future of authentication.

Greg Funaro

Greg Funaro is the Director of Corporate Communications at Digital Guardian.

Please post your comments here