Target, Adobe, eBay, Neiman Marcus, JP Morgan Chase, Goodwill, Home Depot, CHS, Michaels, USPS, Sony, Anthem, Premera, CareFirst, IRS, Department of State, Heartland, OPM – and it’s just a sample, the list goes on – see ITRC 2015 Breach List: 411 breaches and 117M identities exposed so far this year. Is it really that bad, or is it just a hype perpetrated by security companies to ring up their sales? How scared should we be?
The breaches are very real indeed, and the amount of data exposed is staggering – data that’s supposed to be personal and confidential for a good reason. Availability of this data on the black market not only reduces the barrier to entry for potential attackers (lower prices, variety of options to choose from), but also makes possible new types of semi-automated attacks: scattershot attacks against multiple targets, identity aggregation across several sources, exploitation of credentials reuse, sophisticated spear phishing, low-and-slow approach to financial fraud, and so on. So yes, you should be afraid, very afraid.
Security companies definitely have their work cut out for them, and the demand for anything security-related is overwhelming after years, if not decades, of drought and neglect. There’s some fear-mongering for sure, but it’s mostly coming from wannabes that are late to the party without a compelling message. Security technologies market is very discriminate and excessive noise, sensationalism, and overhyping can easily backfire. For a company with a solid offering there’s no need to feed hysteria: the damage is real, highly visible, and consequences are severe – constant stream of breach notifications does all the marketing they need.
There’s one trend that I really don’t like and consider harmful: increasing mudslinging between Protect, Detect, and Respond camps. Statements like “you’re going to be breached no matter what, so don’t bother with preventive measures, and focus on [incident response, breach detection, <your sales message>]” are self-serving and misleading. Defense in depth is alive and well, and NIST Cybersecurity Framework is a great guide for establishing a solid risk-based cyber security program.
The InCyber PAS Pro-Active and Predicting System has been proven 100% effective against Insider Threats. For additional information write to: firstname.lastname@example.org We are now offering a Free Insider Penetration Test for up to 500 Employees using your own historical data.