Why are organizations continuing to have cyber breaches?


How much is enough? How much money, resources, frameworks, consultants will it take for an organization to truly grasp the fact that there isn't enough to eliminate a cyber incident.
Realization is that it will happen. How the organization responds and it preparedness for that moment will truly validate what it should apply for it's Total Cost of Risk model.

Cyber Insurance and Liability
Cyber Security Strategy
Risk Management
Tim Smit
15 months ago

9 answers


From what I've observed:

a) There's no leadership buy-in on data protection. Leadership is too focused on profit drivers and sees data protection as a necessary evil. Or something they must "respond/react" to instead of proactively building into their culture.
b) The most "at risk" functions--Marketing/sales other customer-facing areas don't prioritize it. Their argument is--if we're not in the business of data protection, why bother with all the effort?
c) Data protection measures (certifications, data security tools) are seen as good-to-haves and not must-haves.

Nayyara Rahman
8 months ago
Depends on industry - Dr. David E. 5 months ago

The current environment heavily favors aggressors, ie those perpetrating attacks. They can innovate unimpeded, they have a large ROI for new technology.
Defenders don't even understand the attacks that are coming out now. It would require a large research effort to understand them and a huge investment to effectively mitigate *just the ones we know about*.
Because new attacks are constantly being invented, this so far is a losing game, Kobayashi Maru (Star Trek II reference, look it up). All we can do is deal with loss in the best way possible.
That means minimizing response times, automating port closures or account lock-outs, bringing more computational power to bear on analytics, scripting and smarts as part of the defender's toolkit. Always assume there is an attack ongoing, that you will be compromised. Be prepared to quarantine, wipe and rebuild machines with as low a cost as possible.
The new hardware hacks (implants, see also SuperMicro) make this more expensive to mitigate, but again it is about fast response, confident and decisive actions to prevent the same attack succeeding again. Defenders have to force innovation on the attackers, make them pay for the research first, pay to keep running old attacks that don't work.

Joe Eaton
8 months ago
It's simple.. targets need to be right 100% of the time, attackers only need to be right once.Assume breach and work form there - Richard 8 months ago
and with targets i mean the defense :) - Richard 8 months ago
Needless tautology - Dr. David E. 5 months ago

Living in the mountains of the US, there is a saying, "There are two types of people, those who have hit a deer and those who will." Same thing for breaches. And once you hit that deer, your driving habits change. Same for cyber strategy. In regulated environments, the companies expect their quick response to reduce the fines and focus. Sometimes it works. Regardless, they finally make the investment in cyber.

The question we should be asking is how to do we push companies to invest in cyber before a breach/incident? That is the magic.

Christopher Gebhardt
8 months ago
Oh that it were so. Many companies that have been breached fail to address their vulnerabilities comprehensively and suffer subsequent breaches. There's a strong cost-benefit assessment going on and obviously, some companies focusing on shutting the barn door after the horse has left and don't bother to do a full assessment of other risks. - Howard 8 months ago
Agree - Dr. David E. 5 months ago

It is a continuous race between organizations and attackers. One day the one side has an advantage and then the other. The week link is often not the IT-protection itself, but the human employee, as awareness is lacking. Often the sophisticated IT-protection could be bypassed by a low-tech-attack.

Patrick Henz
7 months ago
OK - Dr. David E. 5 months ago

It's a serious of tubes.

Timmy Wahba
6 months ago
WaWa! - Dr. David E. 5 months ago

Companies will stop having breeches when their hackers are smarter than those on the outside of the company. Attacks will continue but breeches should be manageable. Better sentinel monitoring powered by pattern sniffing AI will aid in the reduction of breeches but will not eliminate them altogether.

Sandy Waters
6 months ago
Thanks - Dr. David E. 5 months ago

Data protection strategies against cyber attacks should be mandated simultaneously with the initiation of any business that is at risk of attacks. These companies should be severely punished when their lack of caring for the interests of their clients become less important that their profits.

Apollone Reid
6 months ago
PUNISH: FB, Google, Apple, AMAZON, etc - Dr. David E. 5 months ago
Really? - Dr. David E. 5 months ago

Employers need to be plugged in at all times, without internet access at work, employees feel restricted - like mental prison, there is a need to stay connected-even at work. Accessing external websites at work requires better screening protocols.

Yul Anderson
6 months ago
Yul Anderson , I understand your point and agree! Based on the philosophy of Symbiotic Autonomous Systems we already became Cyborgs, as we have outsources a part of our memory to smartphones and Internet: - Patrick 6 months ago
If you work for me - you are off line; period - Dr. David E. 5 months ago

Saw this today. Thought it might be helpful:

Nayyara Rahman
6 months ago
Thanks - Dr. David E. 5 months ago

Have some input?