Subscribing to common security misconceptions can hamper the efforts of even the most capable security teams. With that in mind, here are three security fallacies that should be ignored for a more effective security program.
Prevention is Impossible
In security circles, it is now generally accepted that all organizations have been compromised, meaning “bad stuff” is already on your networks and/or endpoints. That acceptance has caused many to give up on the idea of preventing more bad stuff from getting in and instead shift their focus to detection – the theory being that if you find and inoculate the bad stuff fast enough, the damage will be limited. But the reality is that prevention is still very possible.
Several published reports find that malicious hackers are getting into networks far too easily, using simple tactics like attacking known vulnerabilities that should already have been patched or using targeted spear-phishing emails that are easy to detect. More attention must be paid to basic security hygiene. If organizations are doing the basics of prevention – for example, using the latest and most secure versions of web browsers and other common software – most hackers will move on to easier targets.
Every Attack is Sophisticated
Read the public statements from the leader of any recently hacked organization and you’ll see a statement along the lines of “…the hack was unprecedented in nature, leveraging sophisticated and previously unknown tactics that were undetectable by industry standard security solutions.” This is FALSE!
Most attacks are basic and blunt, leveraging script-kiddy type tools that lack any “intelligence.” The web is fraught with noise from continuous and less-than-sophisticated attacks. Time is too often wasted searching for traces of sophisticated avenues of attack from the elite hacker, while ignoring things like weak admin passwords on sensitive data repositories.
Data Loss is Inevitable
It is now widely accepted in IT security circles that network and system breaches are inevitable, largely because IT budgets simply aren’t big enough to address every single security vulnerability in the network. But the fact that some cyber criminals are making it through the door doesn’t mean they should be able to walk out with the crown jewels – the sensitive business data – tucked under their arm.
Companies absolutely can protect their most sensitive information and prevent it from theft. There are proven methods available today that specifically address data loss. So while attacks on network and system may be inevitable, data loss is not.
451 Research: The DLP Market by the Numbers
Get the 451 take on the resurgence of the DLP market, with projections for market growth over the next five years and the top security challenges for 2016.
Related ArticlesSecurity Investments and the Definition of Insanity
A survey of IT professionals finds companies continuing to prioritize network perimeter protections – with little to show for it.InfoSec Professionals Reveal the Top Information Security Concerns for 2018 & Beyond
30 infosec pros discuss the top information security concerns for 2018 and beyond.2018: The Year Security Regulations Get Their Teeth
Even if no new laws are passed, the next year will see the stakes raised for weak security and data leaks in both the EU and U.S.