Subscribing to common security misconceptions can hamper the efforts of even the most capable security teams. With that in mind, here are three security fallacies that should be ignored for a more effective security program.
Prevention is Impossible
In security circles, it is now generally accepted that all organizations have been compromised, meaning “bad stuff” is already on your networks and/or endpoints. That acceptance has caused many to give up on the idea of preventing more bad stuff from getting in and instead shift their focus to detection – the theory being that if you find and inoculate the bad stuff fast enough, the damage will be limited. But the reality is that prevention is still very possible.
Several published reports find that malicious hackers are getting into networks far too easily, using simple tactics like attacking known vulnerabilities that should already have been patched or using targeted spear-phishing emails that are easy to detect. More attention must be paid to basic security hygiene. If organizations are doing the basics of prevention – for example, using the latest and most secure versions of web browsers and other common software – most hackers will move on to easier targets.
Every Attack is Sophisticated
Read the public statements from the leader of any recently hacked organization and you’ll see a statement along the lines of “…the hack was unprecedented in nature, leveraging sophisticated and previously unknown tactics that were undetectable by industry standard security solutions.” This is FALSE!
Most attacks are basic and blunt, leveraging script-kiddy type tools that lack any “intelligence.” The web is fraught with noise from continuous and less-than-sophisticated attacks. Time is too often wasted searching for traces of sophisticated avenues of attack from the elite hacker, while ignoring things like weak admin passwords on sensitive data repositories.
Data Loss is Inevitable
It is now widely accepted in IT security circles that network and system breaches are inevitable, largely because IT budgets simply aren’t big enough to address every single security vulnerability in the network. But the fact that some cyber criminals are making it through the door doesn’t mean they should be able to walk out with the crown jewels – the sensitive business data – tucked under their arm.
Companies absolutely can protect their most sensitive information and prevent it from theft. There are proven methods available today that specifically address data loss. So while attacks on network and system may be inevitable, data loss is not.
