ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Is a Breach at Your Company Inevitable?

Is a Breach at Your Company Inevitable?

Jason Baczynski, CISM, CISSP, Security Assurance Professional
| Posted at 3:06 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (1)

Jason BaczynskiThe former CEO of Equifax recently stated in a speech to the University of Georgia that there are “those companies that have been breached and know it, and there are those companies that have been breached and don't know it.” While this statement must be taken with a grain of salt (it was made after his company was made aware of the massive breach), we still have a sentiment that has become very common.

This type of reasoning was popularized following the RSA breach that was disclosed in 2011. Following this event, many organizations which had breaches would lament the inevitability of a breach. This reasoning often has the related tagline of an “advanced persistent threat,” which further reinforces the mindset that succumbing to shadowy figures is inescapable. In reality, these “advanced” threats are often nothing more than a phishing email, poor passwords, or an attacker running a “point and click” exploit of a vulnerability that has been freely available for months. A cynical view is that both statements amount to nothing more than an attempt to leverage the fear, uncertainty and doubt of all things cyber in an excuse for the shameful security practices of these organizations.

Should organizations adopt this fatalistic attitude? The answer should be no. It takes little more than regular patching, good authentication practices (including multi-factor authentication) and enough security awareness to prevent staff from randomly opening attachments and clicking on links to stop the majority of threats to which many organizations are exposed. Common additional controls and security staff can be added to compensate for additional complexities as businesses grow. Considering these basic security items as a fundamental component of running a modern business will significantly reduce the likelihood of these breaches for organizations.

The reality is not this simple. Cybersecurity is not yet as fundamental as paying bills. Remediating vulnerabilities costs time. Multi-factor authentication adds friction to the user experience. Even the savviest user will make a mistake and click on a link he or she should not have. Additional controls to protect the organization require organizational funds and the support of a skilled security team. Business leaders must continually make a choice between investing in protecting the data they have been entrusted or using these funds elsewhere. Consequently, protecting data becomes an expensive inconvenience.

Financial incentives for protecting data are minimal. Home Depot, Target Corporation and Anthem Inc. stocks have rebounded from their respective breaches. While several executives were relieved of their employment in these scenarios, severance packages and pensions allow the responsible decision-makers to move on with little hardship. Fines, such as the US $25 million fine against AT&T or the $18.5 million dollar fine against Target, are barely noticeable on corporate earnings reports.

The impact for these events largely affects those whose data is disclosed, rather than the organization that allowed the breach. While individuals are burdened with additional credit monitoring reports, credit card replacement, identity theft, disruptions and stress, large organizations write off breach expenses as a cost of doing business. As a result, poor security practices are the more attractive financial choice for many business decision-makers.

So, is a breach at your company inevitable? Until there are stronger financial incentives for organizations to protect data, the answer for many companies, sadly, is yes. 


Be prepared for your breach

Your article raises some good points, but seems to dismiss the LOE required to defend data and downplays likely outcomes.
“It takes little more... common additional controls... will significantly reduce”
Those terms make it sound like good standards and practices will make the danger go away.
The reality is much more complex.  Large organizations must manage a huge and complex battle to secure assets and educate employees.  These companies have tens, or hundreds, of thousands of assets to track, patch and update.  That must be choreographed among demands for availability, flexibility and ease of use. Testing patches may open a dangerous window opportunity, but not testing can lead to costly system failures.  BYOD and internet access for every desktop are certainly not security initiatives, but business pays the bills, and they demand it.
Education was mentioned.  Picture a company with forty thousand or more employee.  Regardless of how much we educate, the numbers themselves dictate a virtual certainty that some percentage of even the best, most security conscious people, will click on a link or open a package they shouldn’t.
Yes, we can reduce risk with proper controls and processes, but I would not wish to give anyone the impression they can avoid a breach.  It isn’t just the unprepared who have been breached or lost data.  Mandiant knows, and I am sure, uses excellent practices to safe guard data, but it wasn’t enough. 
You also mentioned the lack of financial incentives to drive companies toward best practices.  There is certainly some truth in that; we will see what happens as the new EU rules go into effect.  They have certainly raised the financial bar.  Perhaps that will have the outcome they intend.  It will almost certainly drive up the cost of products and services.  Will the benefits exceed the cost?  Maybe.  Will it stop breaches in the EU?  Almost certainly not.
Being a realist, though the article implies a pessimist, I concur with the old maxim: ‘Hope for the best, but plan for the worst.’  Perhaps the Equifax executive was trying to deflect, but his message was spot on.  We cannot build an impregnable fortress.  Do your best to secure systems, but spend a like amount of effort to detect breaches quickly in order to minimize the damage.  The odds are strong your company will eventually be glad you did.
James128 at 10/28/2017 10:23 AM
You must be logged in and a member to post a comment to this blog.