In a recent article on Drdobbs.com, Andrew Binstock argues that breaches, especially the recent spate of very public hacks into large organizations by groups such as LulzSec, are the result of a degree of organizational indifference to security.
“Given that these hacks were nothing new — every month seems to bring forth a new one — you’d have to conclude that many businesses don’t view themselves as having an obligation to their customers to make sure data is secure.”
I think there’s certainly a kernel of truth here, but I also think it’s dangerous to use too broad a brush when painting a picture of the current state of security. It’s hard to argue that a lot of companies have done a poor job of securing their infrastructure and information. But—and it’s a very big but—a lot of companies have done a far, far better job than they are given credit for.
One of the common features of hacking (whether for malicious fun or profit) is that attackers tend to look for easy targets. In fact, research shows that a lot of successful attacks are somewhat opportunistic. The hacker looks for certain types of vulnerability and then tries to match a target organization with that weakness that they can exploit. Rarely do hackers actually go after specific organizations because of who they are (the attacks by LulzSec on Sony, and attacks on certain defense contractors by “APTs” are more exceptions than the rule.)
In this year’s Data Breach Investigations Report, the Verizon Risk Team (along with the US Secret Service and others) identified 83% of all the attacks that they investigated as being opportunistic in nature. The attacker picked that target because they exhibited a vulnerability that the attack knew how to exploit. In only 17% of cases was the company targeted first and then a vulnerability sought.
What this means is that in the vast majority of cases, when hackers encounter an organization whose security *is* strong, they simply move on. Like predators in the animal kingdom, hackers seek the weakest targets simply because that is the most efficient (and risk-free) use of their time and resources.
What hits the headlines, then, is not a representative picture of how enterprises approach security, but rather a somewhat skewed view; in much the same way that the news headlines paint a rather different picture of life than is experienced by most people. What we see is the result of successful attacks on organizations that, for some reason, whether bad luck, insufficient resources, or yes, organizational disinterest, looked like an easy target to the wrong attacker at the wrong time. It’s not good, but perhaps it’s not as bleak as the article suggests.
I also think there’s another set of factors at work here, compounding the problem for businesses and government agencies struggling to catch up with security best practices. In fact, I think the worst is yet to come, but there is also tremendous opportunity, too. In my next post, I’ll discuss what I think those factors are, and why the problems of today may well be signposts to the solutions for tomorrow.