Despite best efforts and an estimated $125 billion in spending, the number and severity of breaches continue to grow. According to the IBM Ponemon Institute, attacks compromised over 11.7 billion records in the past three years. The result? The average cost of a data breach in the US has risen to $8.19 million in 2019 from $7.91 million in 2018. This is the highest cost globally when compared to other regions. Globally, the average cost of a data breach has increased to $3.92 million.
In 2012, the then FBI director stated that “there are only two types of companies: those that have been hacked and those that will be.”
Today’s most common security myth is that your company is protected. Here are some additional security myths.
Nope, not even close. You are only secure after applying the patch across the entirety of your network and devices. Attackers take advantage of the vulnerability in the time between the publication of the vulnerability and the installation of the patch on affected systems.
In a paper entitled “Before We Knew It: An Empirical Study of Zero-day Attacks in The Real World,” Leyla Bilge and Tudor Dumitra of Symantec Research Labs identify 18 vulnerabilities exploited in the real world before full disclosure. They detail examples of vulnerabilities being exploited in the wild for an average of 312 days before petering out.
The exploitation of a vulnerability increases for a few days after the information goes public. Slowly, the exploitation decreases in the wild due to the deployment of antivirus and IPS signatures, and it becomes lower still after the vendor patches are deployed.
Thus, the premise of your security process is flawed. So how do you combat this? One approach is that 100% ofall operating systems in 2020 need to have a “reversible” or “rollback in time” filesystem. 100% of the time. Because storage is cheap. This approach has a couple of immediate benefits. First, it can be implemented today by IT/operations people with no need for deep security expertise. Second, it does not matter how or when the attack happened or when the patch is released. Rolling back mitigates the 102-day window when undesirable things happen to your business.
I’m small, I’m safe. Sure, you are. Attackers do not wake up in the morning and think, “I’m going to hack XYZ bank.” The approach is much broader—“I’m going to hack any bank I can get into”—which is a much simpler effort. The myth is that they are targeting you or your large company. The reality is that hackers look for the easiest weaknesses to exploit first, then choose whom to attack. Hackers are ambulance chasers, and they are lazy. This is not state sponsored; this is a purposeful, criminal exploitation. The model is to scan the internet, find the exploitable devices, and launch an encryption exploit regardless of the size of the targeted organization.
Some of the head-in-the-sand arguments we have heard from organizations of all sizes, but especially those that believe they are not on a hacker’s radar, include:
Whether you are large or small, your security mindset is likely trailing behind the hackers’ exploitation mindset. You provide great products, solutions and services that are constantly under attack. What you need are great solutions that are fully patched and protected regardless of the size of your business.
A question we ask about organizations’ security breach plans is “Are you stopping attacks or getting alerted when one occurs?” Here’s a simple test to determine whether you are proactive or reactive with your security breach plan:
Even if you nodded yes to all of the above, you may not have an adequate security response plan. As noted above, you are under constant attack and the economics and volume of opportunity favors the hackers. Your security breach plan must make it so hard and expensive for hackers to attack you that they go elsewhere. You must also create resilient systems that flip the burden of security from the defenders to the attackers. Your security plan must change the economics in your favor.
A good security plan comes down to economics, so let’s talk about costs. Without a modern security approach, your organization is open and vulnerable to hackers. You must assume they will try to attack your business. Your job is to be aware of these myths and get them where it hurts—make the cost of an attack on your business uneconomic for the hackers.
There are several solutions and best practices your organization can implement to make your business uneconomic for the hackers. But the first requirement is a mindset in your organization to stop attacks before they start. Evolving with the evolution of hacking means you’ll never catch up—you need to do something different. Once the mindset is firm, there are a number of solutions that could help, including roll-back file systems, endpoint security, penetration testing and more. The ultimate myth is that your company is safe today and in the future.
Pete Jarvis, VP of Business Development