The former CEO of Equifax recently stated in a speech to the University of Georgia that there are “those companies that have been breached and know it, and there are those companies that have been breached and don't know it.” While this statement must be taken with a grain of salt (it was made after his company was made aware of the massive breach), we still have a sentiment that has become very common.
This type of reasoning was popularized following the RSA breach that was disclosed in 2011. Following this event, many organizations which had breaches would lament the inevitability of a breach. This reasoning often has the related tagline of an “advanced persistent threat,” which further reinforces the mindset that succumbing to shadowy figures is inescapable. In reality, these “advanced” threats are often nothing more than a phishing email, poor passwords, or an attacker running a “point and click” exploit of a vulnerability that has been freely available for months. A cynical view is that both statements amount to nothing more than an attempt to leverage the fear, uncertainty and doubt of all things cyber in an excuse for the shameful security practices of these organizations.
Should organizations adopt this fatalistic attitude? The answer should be no. It takes little more than regular patching, good authentication practices (including multi-factor authentication) and enough security awareness to prevent staff from randomly opening attachments and clicking on links to stop the majority of threats to which many organizations are exposed. Common additional controls and security staff can be added to compensate for additional complexities as businesses grow. Considering these basic security items as a fundamental component of running a modern business will significantly reduce the likelihood of these breaches for organizations.
The reality is not this simple. Cybersecurity is not yet as fundamental as paying bills. Remediating vulnerabilities costs time. Multi-factor authentication adds friction to the user experience. Even the savviest user will make a mistake and click on a link he or she should not have. Additional controls to protect the organization require organizational funds and the support of a skilled security team. Business leaders must continually make a choice between investing in protecting the data they have been entrusted or using these funds elsewhere. Consequently, protecting data becomes an expensive inconvenience.
Financial incentives for protecting data are minimal. Home Depot, Target Corporation and Anthem Inc. stocks have rebounded from their respective breaches. While several executives were relieved of their employment in these scenarios, severance packages and pensions allow the responsible decision-makers to move on with little hardship. Fines, such as the US $25 million fine against AT&T or the $18.5 million dollar fine against Target, are barely noticeable on corporate earnings reports.
The impact for these events largely affects those whose data is disclosed, rather than the organization that allowed the breach. While individuals are burdened with additional credit monitoring reports, credit card replacement, identity theft, disruptions and stress, large organizations write off breach expenses as a cost of doing business. As a result, poor security practices are the more attractive financial choice for many business decision-makers.
So, is a breach at your company inevitable? Until there are stronger financial incentives for organizations to protect data, the answer for many companies, sadly, is yes.